rpm package
suse/crowbar-openstack&distro=SUSE OpenStack Cloud Crowbar 8
pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
Vulnerabilities (135)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-25032 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. | ||
| CVE-2020-17376 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Aug 26, 2020 | An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar | ||
| CVE-2019-14904 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Aug 25, 2020 | A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw | ||
| CVE-2020-11110 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2020-10177 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | ||
| CVE-2020-10994 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | ||
| CVE-2020-10378 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | ||
| CVE-2020-13379 | — | < 5.0+git.1593085772.64c4ab43c-4.40.2 | 5.0+git.1593085772.64c4ab43c-4.40.2 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 5.0+git.1593085772.64c4ab43c-4.40.2 | 5.0+git.1593085772.64c4ab43c-4.40.2 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||
| CVE-2020-13254 | — | < 5.0+git.1593085772.64c4ab43c-4.40.2 | 5.0+git.1593085772.64c4ab43c-4.40.2 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | ||
| CVE-2018-18625 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18624 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18623 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2020-11077 | — | < 5.0+git.1593085772.64c4ab43c-4.40.2 | 5.0+git.1593085772.64c4ab43c-4.40.2 | May 22, 2020 | In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis | ||
| CVE-2020-11076 | — | < 5.0+git.1593085772.64c4ab43c-4.40.2 | 5.0+git.1593085772.64c4ab43c-4.40.2 | May 22, 2020 | In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. | ||
| CVE-2020-10744 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | May 15, 2020 | An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18 | ||
| CVE-2020-1746 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | May 12, 2020 | A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are use | ||
| CVE-2020-8151 | — | < 5.0+git.1593085772.64c4ab43c-4.40.2 | 5.0+git.1593085772.64c4ab43c-4.40.2 | May 12, 2020 | There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. | ||
| CVE-2020-10685 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | May 11, 2020 | A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, | ||
| CVE-2020-10691 | — | < 5.0+git.1599037158.5c4d07480-4.43.1 | 5.0+git.1599037158.5c4d07480-4.43.1 | Apr 30, 2020 | An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwr |
- CVE-2020-25032Aug 31, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
- CVE-2020-17376Aug 26, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
- CVE-2019-14904Aug 25, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw
- CVE-2020-11110Jul 27, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2020-10177Jun 25, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- CVE-2020-10994Jun 25, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- CVE-2020-10378Jun 25, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- CVE-2020-13379Jun 3, 2020affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- CVE-2020-13254Jun 3, 2020affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- CVE-2018-18625Jun 2, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18624Jun 2, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18623Jun 2, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2020-11077May 22, 2020affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis
- CVE-2020-11076May 22, 2020affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
- CVE-2020-10744May 15, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18
- CVE-2020-1746May 12, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are use
- CVE-2020-8151May 12, 2020affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
- CVE-2020-10685May 11, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble,
- CVE-2020-10691Apr 30, 2020affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwr
Page 2 of 7