rpm package
suse/ardana-mq&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (51)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-10743 | Med | 4.3 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | |
| CVE-2019-20933 | Cri | 9.8 | < 9.0+git.1605174486.a78ddce-3.19.2 | 9.0+git.1605174486.a78ddce-3.19.2 | Nov 19, 2020 | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). | |
| CVE-2020-24303 | Med | 6.1 | < 9.0+git.1605174486.a78ddce-3.19.2 | 9.0+git.1605174486.a78ddce-3.19.2 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | |
| CVE-2020-26137 | Med | 6.5 | < 9.0+git.1605174486.a78ddce-3.19.2 | 9.0+git.1605174486.a78ddce-3.19.2 | Sep 30, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | |
| CVE-2020-11538 | Hig | 8.1 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 25, 2020 | In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. | |
| CVE-2020-10994 | Med | 5.5 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | |
| CVE-2020-10378 | Med | 5.5 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | |
| CVE-2020-10177 | Med | 5.5 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | |
| CVE-2020-8184 | Hig | 7.5 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 19, 2020 | A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. | |
| CVE-2020-10755 | Med | 6.5 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 10, 2020 | An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th | |
| CVE-2020-13379 | Hig | 8.2 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | |
| CVE-2020-13596 | Med | 6.1 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | |
| CVE-2020-13254 | Med | 5.9 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | |
| CVE-2020-12052 | Med | 6.1 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | |
| CVE-2018-17954 | Cri | 9.3 | < 9.0+git.1581024903.8e74867-3.10.1 | 9.0+git.1581024903.8e74867-3.10.1 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | |
| CVE-2020-9543 | Hig | 8.3 | < 9.0+git.1586350749.a463fd2-3.13.1 | 9.0+git.1586350749.a463fd2-3.13.1 | Mar 12, 2020 | OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares o | |
| CVE-2020-9402 | Hig | 8.8 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Mar 5, 2020 | Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl | |
| CVE-2020-5247 | Med | 6.5 | < 9.0+git.1586350749.a463fd2-3.13.1 | 9.0+git.1586350749.a463fd2-3.13.1 | Feb 28, 2020 | In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entir | |
| CVE-2020-7471 | Cri | 9.8 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Feb 3, 2020 | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl | |
| CVE-2019-16792 | Hig | 7.1 | < 9.0+git.1593618110.cbd1a37-3.16.2 | 9.0+git.1593618110.cbd1a37-3.16.2 | Jan 22, 2020 | Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. |
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- affected < 9.0+git.1605174486.a78ddce-3.19.2fixed 9.0+git.1605174486.a78ddce-3.19.2
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
- affected < 9.0+git.1605174486.a78ddce-3.19.2fixed 9.0+git.1605174486.a78ddce-3.19.2
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- affected < 9.0+git.1605174486.a78ddce-3.19.2fixed 9.0+git.1605174486.a78ddce-3.19.2
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- affected < 9.0+git.1581024903.8e74867-3.10.1fixed 9.0+git.1581024903.8e74867-3.10.1
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- affected < 9.0+git.1586350749.a463fd2-3.13.1fixed 9.0+git.1586350749.a463fd2-3.13.1
OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares o
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl
- affected < 9.0+git.1586350749.a463fd2-3.13.1fixed 9.0+git.1586350749.a463fd2-3.13.1
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entir
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl
- affected < 9.0+git.1593618110.cbd1a37-3.16.2fixed 9.0+git.1593618110.cbd1a37-3.16.2
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
Page 1 of 3