rpm package

suse/grafana&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (81)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-10743	—	< 6.2.5-3.12.2	6.2.5-3.12.2	Jun 2, 2021	It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2021-31542	—	< 6.7.4-3.23.2	6.7.4-3.23.2	May 5, 2021	In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-28658	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Apr 6, 2021	In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVE-2021-28957	—	< 6.7.4-3.26.1	6.7.4-3.26.1	Mar 21, 2021	An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit thi
CVE-2021-27358	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Mar 18, 2021	The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
CVE-2019-25025	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Mar 5, 2021	The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci
CVE-2021-23336	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Feb 15, 2021	The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
CVE-2020-17516	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Feb 3, 2021	Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
CVE-2021-21238	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Jan 21, 2021	PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
CVE-2021-21239	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Jan 21, 2021	PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
CVE-2020-29651	—	< 6.7.4-3.23.2	6.7.4-3.23.2	Dec 9, 2020	A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
CVE-2020-27783	—	< 6.7.4-3.26.1	6.7.4-3.26.1	Dec 3, 2020	A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
CVE-2019-20933	—	< 6.7.4-3.20.1	6.7.4-3.20.1	Nov 19, 2020	InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303	—	< 6.7.4-3.20.1	6.7.4-3.20.1	Oct 28, 2020	Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137	—	< 6.7.4-3.20.1	6.7.4-3.20.1	Sep 29, 2020	urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-25032	—	< 6.7.4-3.17.1	6.7.4-3.17.1	Aug 31, 2020	An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2020-17376	—	< 6.7.4-3.17.1	6.7.4-3.17.1	Aug 26, 2020	An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
CVE-2020-11110	—	< 6.7.4-3.17.1	6.7.4-3.17.1	Jul 27, 2020	Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-10177	—	< 6.2.5-3.12.2	6.2.5-3.12.2	Jun 25, 2020	Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-11538	—	< 6.2.5-3.12.2	6.2.5-3.12.2	Jun 25, 2020	In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

CVE-2020-10743Jun 2, 2021
affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2021-31542May 5, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-28658Apr 6, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVE-2021-28957Mar 21, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit thi
CVE-2021-27358Mar 18, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
CVE-2019-25025Mar 5, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci
CVE-2021-23336Feb 15, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
CVE-2020-17516Feb 3, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
CVE-2021-21238Jan 21, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
CVE-2021-21239Jan 21, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
CVE-2020-29651Dec 9, 2020
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
CVE-2020-27783Dec 3, 2020
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
CVE-2019-20933Nov 19, 2020
affected < 6.7.4-3.20.1fixed 6.7.4-3.20.1
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303Oct 28, 2020
affected < 6.7.4-3.20.1fixed 6.7.4-3.20.1
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137Sep 29, 2020
affected < 6.7.4-3.20.1fixed 6.7.4-3.20.1
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-25032Aug 31, 2020
affected < 6.7.4-3.17.1fixed 6.7.4-3.17.1
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2020-17376Aug 26, 2020
affected < 6.7.4-3.17.1fixed 6.7.4-3.17.1
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
CVE-2020-11110Jul 27, 2020
affected < 6.7.4-3.17.1fixed 6.7.4-3.17.1
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-10177Jun 25, 2020
affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-11538Jun 25, 2020
affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Page 2 of 5