rpm package
suse/ardana-logging&distro=HPE Helion OpenStack 8
pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-10743 | — | < 8.0+git.1610573640.452aed1-3.27.1 | 8.0+git.1610573640.452aed1-3.27.1 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2021-3281 | — | < 8.0+git.1610573640.452aed1-3.27.1 | 8.0+git.1610573640.452aed1-3.27.1 | Feb 2, 2021 | In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | ||
| CVE-2020-13379 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||
| CVE-2020-13254 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | ||
| CVE-2020-11077 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | May 22, 2020 | In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis | ||
| CVE-2020-11076 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | May 22, 2020 | In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. | ||
| CVE-2020-8151 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | May 12, 2020 | There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. | ||
| CVE-2020-10663 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Apr 28, 2020 | The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, | ||
| CVE-2020-12052 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||
| CVE-2018-17954 | — | < 8.0+git.1572452293.e65d714-3.21.3 | 8.0+git.1572452293.e65d714-3.21.3 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | ||
| CVE-2019-18901 | — | < 8.0+git.1572452293.e65d714-3.21.3 | 8.0+git.1572452293.e65d714-3.21.3 | Mar 2, 2020 | A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Li | ||
| CVE-2019-16792 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jan 22, 2020 | Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. | ||
| CVE-2020-7595 | — | < 8.0+git.1572452293.e65d714-3.21.3 | 8.0+git.1572452293.e65d714-3.21.3 | Jan 21, 2020 | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | ||
| CVE-2020-2574 | — | < 8.0+git.1572452293.e65d714-3.21.3 | 8.0+git.1572452293.e65d714-3.21.3 | Jan 15, 2020 | Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple prot | ||
| CVE-2020-5390 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | ||
| CVE-2019-19911 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jan 5, 2020 | There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho | ||
| CVE-2020-5312 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jan 3, 2020 | libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. | ||
| CVE-2020-5313 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Jan 3, 2020 | libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. | ||
| CVE-2019-16789 | — | < 8.0+git.1591194866.b7375d0-3.24.1 | 8.0+git.1591194866.b7375d0-3.24.1 | Dec 26, 2019 | In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain |
- CVE-2020-10743Jun 2, 2021affected < 8.0+git.1610573640.452aed1-3.27.1fixed 8.0+git.1610573640.452aed1-3.27.1
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2021-3281Feb 2, 2021affected < 8.0+git.1610573640.452aed1-3.27.1fixed 8.0+git.1610573640.452aed1-3.27.1
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
- CVE-2020-13379Jun 3, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- CVE-2020-13254Jun 3, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- CVE-2020-11077May 22, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis
- CVE-2020-11076May 22, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
- CVE-2020-8151May 12, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
- CVE-2020-10663Apr 28, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically,
- CVE-2020-12052Apr 27, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- CVE-2018-17954Apr 3, 2020affected < 8.0+git.1572452293.e65d714-3.21.3fixed 8.0+git.1572452293.e65d714-3.21.3
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- CVE-2019-18901Mar 2, 2020affected < 8.0+git.1572452293.e65d714-3.21.3fixed 8.0+git.1572452293.e65d714-3.21.3
A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Li
- CVE-2019-16792Jan 22, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
- CVE-2020-7595Jan 21, 2020affected < 8.0+git.1572452293.e65d714-3.21.3fixed 8.0+git.1572452293.e65d714-3.21.3
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- CVE-2020-2574Jan 15, 2020affected < 8.0+git.1572452293.e65d714-3.21.3fixed 8.0+git.1572452293.e65d714-3.21.3
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple prot
- CVE-2020-5390Jan 13, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- CVE-2019-19911Jan 5, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
- CVE-2020-5312Jan 3, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
- CVE-2020-5313Jan 3, 2020affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
- CVE-2019-16789Dec 26, 2019affected < 8.0+git.1591194866.b7375d0-3.24.1fixed 8.0+git.1591194866.b7375d0-3.24.1
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
Page 1 of 3