rpm package

suse/ardana-cassandra&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/ardana-cassandra&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (10)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-20933	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Nov 19, 2020	InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Oct 28, 2020	Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Sep 29, 2020	urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-5390	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Jan 13, 2020	PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-11068	—	< 9.0+git.1557220194.6a90deb-3.3.3	9.0+git.1557220194.6a90deb-3.3.3	Apr 10, 2019	libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVE-2016-10745	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Apr 8, 2019	In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
CVE-2019-10906	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Apr 6, 2019	In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
CVE-2019-10876	—	< 9.0+git.1557220194.6a90deb-3.3.3	9.0+git.1557220194.6a90deb-3.3.3	Apr 5, 2019	An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes
CVE-2019-8341	—	< 9.0+git.1600802664.7e480a2-3.6.2	9.0+git.1600802664.7e480a2-3.6.2	Feb 15, 2019	An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:
CVE-2018-19039	—	< 9.0+git.1557220194.6a90deb-3.3.3	9.0+git.1557220194.6a90deb-3.3.3	Dec 13, 2018	Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.

CVE-2019-20933Nov 19, 2020
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303Oct 28, 2020
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137Sep 29, 2020
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-5390Jan 13, 2020
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-11068Apr 10, 2019
affected < 9.0+git.1557220194.6a90deb-3.3.3fixed 9.0+git.1557220194.6a90deb-3.3.3
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVE-2016-10745Apr 8, 2019
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
CVE-2019-10906Apr 6, 2019
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
CVE-2019-10876Apr 5, 2019
affected < 9.0+git.1557220194.6a90deb-3.3.3fixed 9.0+git.1557220194.6a90deb-3.3.3
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes
CVE-2019-8341Feb 15, 2019
affected < 9.0+git.1600802664.7e480a2-3.6.2fixed 9.0+git.1600802664.7e480a2-3.6.2
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:
CVE-2018-19039Dec 13, 2018
affected < 9.0+git.1557220194.6a90deb-3.3.3fixed 9.0+git.1557220194.6a90deb-3.3.3
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.