rpm package
suse/crowbar-ha&distro=SUSE OpenStack Cloud Crowbar 8
pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-10743 | — | < 5.0+git.1610564036.b75ee1b-3.35.1 | 5.0+git.1610564036.b75ee1b-3.35.1 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2021-3281 | — | < 5.0+git.1610564036.b75ee1b-3.35.1 | 5.0+git.1610564036.b75ee1b-3.35.1 | Feb 2, 2021 | In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | ||
| CVE-2018-17954 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | ||
| CVE-2020-9543 | — | < 5.0+git.1585316176.344190f-3.32.1 | 5.0+git.1585316176.344190f-3.32.1 | Mar 12, 2020 | OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares o | ||
| CVE-2019-18901 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Mar 2, 2020 | A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Li | ||
| CVE-2020-5247 | — | < 5.0+git.1585316176.344190f-3.32.1 | 5.0+git.1585316176.344190f-3.32.1 | Feb 28, 2020 | In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entir | ||
| CVE-2020-7595 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jan 21, 2020 | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | ||
| CVE-2020-2574 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jan 15, 2020 | Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple prot | ||
| CVE-2019-16770 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Dec 5, 2019 | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p | ||
| CVE-2019-2974 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Oct 16, 2019 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mult | ||
| CVE-2019-2938 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Oct 16, 2019 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromi | ||
| CVE-2017-1002201 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Oct 15, 2019 | In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e | ||
| CVE-2019-15043 | — | < 5.0+git.1567673535.607aada-3.26.2 | 5.0+git.1567673535.607aada-3.26.2 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | ||
| CVE-2019-15026 | — | < 5.0+git.1585316176.344190f-3.32.1 | 5.0+git.1585316176.344190f-3.32.1 | Aug 30, 2019 | memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c. | ||
| CVE-2019-5477 | — | < 5.0+git.1567673535.607aada-3.26.2 | 5.0+git.1567673535.607aada-3.26.2 | Aug 16, 2019 | A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a | ||
| CVE-2019-2805 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mu | ||
| CVE-2019-2758 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr | ||
| CVE-2019-2740 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multi | ||
| CVE-2019-2739 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon | ||
| CVE-2019-2737 | — | < 5.0+git.1574286229.e0364c3-3.29.3 | 5.0+git.1574286229.e0364c3-3.29.3 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network acc |
- CVE-2020-10743Jun 2, 2021affected < 5.0+git.1610564036.b75ee1b-3.35.1fixed 5.0+git.1610564036.b75ee1b-3.35.1
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2021-3281Feb 2, 2021affected < 5.0+git.1610564036.b75ee1b-3.35.1fixed 5.0+git.1610564036.b75ee1b-3.35.1
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
- CVE-2018-17954Apr 3, 2020affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- CVE-2020-9543Mar 12, 2020affected < 5.0+git.1585316176.344190f-3.32.1fixed 5.0+git.1585316176.344190f-3.32.1
OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares o
- CVE-2019-18901Mar 2, 2020affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Li
- CVE-2020-5247Feb 28, 2020affected < 5.0+git.1585316176.344190f-3.32.1fixed 5.0+git.1585316176.344190f-3.32.1
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entir
- CVE-2020-7595Jan 21, 2020affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- CVE-2020-2574Jan 15, 2020affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple prot
- CVE-2019-16770Dec 5, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
- CVE-2019-2974Oct 16, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mult
- CVE-2019-2938Oct 16, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromi
- CVE-2017-1002201Oct 15, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e
- CVE-2019-15043Sep 3, 2019affected < 5.0+git.1567673535.607aada-3.26.2fixed 5.0+git.1567673535.607aada-3.26.2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2019-15026Aug 30, 2019affected < 5.0+git.1585316176.344190f-3.32.1fixed 5.0+git.1585316176.344190f-3.32.1
memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
- CVE-2019-5477Aug 16, 2019affected < 5.0+git.1567673535.607aada-3.26.2fixed 5.0+git.1567673535.607aada-3.26.2
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a
- CVE-2019-2805Jul 23, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mu
- CVE-2019-2758Jul 23, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr
- CVE-2019-2740Jul 23, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multi
- CVE-2019-2739Jul 23, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon
- CVE-2019-2737Jul 23, 2019affected < 5.0+git.1574286229.e0364c3-3.29.3fixed 5.0+git.1574286229.e0364c3-3.29.3
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network acc
Page 1 of 3