VYPR

rpm package

suse/grafana&distro=SUSE OpenStack Cloud Crowbar 9

pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209

Vulnerabilities (81)

  • CVE-2020-5313Jan 3, 2020
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.

  • CVE-2019-16789Dec 26, 2019
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain

  • CVE-2019-16785Dec 20, 2019
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if

  • CVE-2019-16786Dec 20, 2019
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ

  • CVE-2019-19844Dec 18, 2019
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo

  • CVE-2019-11287Nov 22, 2019
    affected < 6.7.4-3.29.1fixed 6.7.4-3.29.1

    Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP

  • CVE-2019-16865Oct 4, 2019
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

  • CVE-2019-15043Sep 3, 2019
    affected < 6.2.5-3.9.3fixed 6.2.5-3.9.3

    In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

  • CVE-2018-11779Jul 25, 2019
    affected < 6.7.4-3.17.1fixed 6.7.4-3.17.1

    In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

  • CVE-2019-0202Jul 25, 2019
    affected < 6.7.4-3.17.1fixed 6.7.4-3.17.1

    The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo

  • CVE-2019-11068CriApr 10, 2019
    affected < 5.3.3-3.3.1fixed 5.3.3-3.3.1

    libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

  • CVE-2016-10745Apr 8, 2019
    affected < 6.7.4-3.20.1fixed 6.7.4-3.20.1

    In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

  • CVE-2019-10906Apr 6, 2019
    affected < 6.7.4-3.20.1fixed 6.7.4-3.20.1

    In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

  • CVE-2019-10876Apr 5, 2019
    affected < 5.3.3-3.3.1fixed 5.3.3-3.3.1

    An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes

  • CVE-2019-3828Mar 27, 2019
    affected < 6.2.5-3.12.2fixed 6.2.5-3.12.2

    Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

  • CVE-2019-3871Mar 21, 2019
    affected < 6.2.5-3.9.3fixed 6.2.5-3.9.3

    A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of

  • CVE-2019-8341Feb 15, 2019
    affected < 6.7.4-3.20.1fixed 6.7.4-3.20.1

    An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:

  • CVE-2018-19039Dec 13, 2018
    affected < 5.3.3-3.3.1fixed 5.3.3-3.3.1

    Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.

  • CVE-2018-19787Dec 2, 2018
    affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1

    An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar

  • CVE-2017-11481MedDec 8, 2017
    affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2

    Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Page 4 of 5