rpm package
almalinux/pcs-snmp
pkg:rpm/almalinux/pcs-snmp
Vulnerabilities (33)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-26141 | — | < 0.11.7-2.el9_4 | 0.11.7-2.el9_4 | Feb 28, 2024 | Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middlewa | ||
| CVE-2024-25126 | — | < 0.11.7-2.el9_4 | 0.11.7-2.el9_4 | Feb 28, 2024 | Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 | ||
| CVE-2024-26146 | — | < 0.11.7-2.el9_4 | 0.11.7-2.el9_4 | Feb 28, 2024 | Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack appl | ||
| CVE-2023-2319 | Cri | 9.8 | < 0.11.4-7.el9_2 | 0.11.4-7.el9_2 | May 17, 2023 | It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum | |
| CVE-2023-28154 | Cri | 9.8 | < 0.11.3-4.el9_1.3 | 0.11.3-4.el9_1.3 | Mar 13, 2023 | Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. | |
| CVE-2023-27530 | Hig | 7.5 | < 0.11.4-7.el9_2 | 0.11.4-7.el9_2 | Mar 10, 2023 | A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. | |
| CVE-2022-45442 | Hig | 8.8 | < 0.10.14-5.el8_7.2.alma | 0.10.14-5.el8_7.2.alma | Nov 28, 2022 | Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response whe | |
| CVE-2022-38900 | Hig | 7.5 | < 0.11.6-3.el9 | 0.11.6-3.el9 | Nov 28, 2022 | decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. | |
| CVE-2022-2735 | Hig | 7.8 | < 0.11.1-10.el9_0.2 | 0.11.1-10.el9_0.2 | Sep 6, 2022 | A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" t | |
| CVE-2022-29970 | Hig | 7.5 | < 0.11.1-10.el9 | 0.11.1-10.el9 | May 2, 2022 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | |
| CVE-2022-1049 | Hig | 8.8 | < 0.10.14-5.el8.alma | 0.10.14-5.el8.alma | Mar 25, 2022 | A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. | |
| CVE-2020-7656 | Med | 6.1 | < 0.10.10-4.el8.alma | 0.10.10-4.el8.alma | May 19, 2020 | jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "", which results in the enclosed script logic to be executed. | |
| CVE-2020-11023 | Med | 6.9 | KEV | < 0.10.10-4.el8.alma | 0.10.10-4.el8.alma | Apr 29, 2020 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro |
- CVE-2024-26141Feb 28, 2024affected < 0.11.7-2.el9_4fixed 0.11.7-2.el9_4
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middlewa
- CVE-2024-25126Feb 28, 2024affected < 0.11.7-2.el9_4fixed 0.11.7-2.el9_4
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1
- CVE-2024-26146Feb 28, 2024affected < 0.11.7-2.el9_4fixed 0.11.7-2.el9_4
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack appl
- affected < 0.11.4-7.el9_2fixed 0.11.4-7.el9_2
It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum
- affected < 0.11.3-4.el9_1.3fixed 0.11.3-4.el9_1.3
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
- affected < 0.11.4-7.el9_2fixed 0.11.4-7.el9_2
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
- affected < 0.10.14-5.el8_7.2.almafixed 0.10.14-5.el8_7.2.alma
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response whe
- affected < 0.11.6-3.el9fixed 0.11.6-3.el9
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
- affected < 0.11.1-10.el9_0.2fixed 0.11.1-10.el9_0.2
A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" t
- affected < 0.11.1-10.el9fixed 0.11.1-10.el9
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
- affected < 0.10.14-5.el8.almafixed 0.10.14-5.el8.alma
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.
- affected < 0.10.10-4.el8.almafixed 0.10.10-4.el8.alma
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "", which results in the enclosed script logic to be executed.
- affected < 0.10.10-4.el8.almafixed 0.10.10-4.el8.alma
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro
Page 2 of 2