rpm package

suse/grafana&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (81)

CVE	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2022-23451	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Sep 6, 2022	An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Sep 1, 2022	An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-34265	—		< 6.7.4-3.29.1	6.7.4-3.29.1	Jul 4, 2022	An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l
CVE-2022-29970	—		< 6.7.4-3.26.1	6.7.4-3.26.1	May 2, 2022	Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-28346	—		< 6.7.4-3.29.1	6.7.4-3.29.1	Apr 12, 2022	An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-24790	—		< 6.7.4-3.29.1	6.7.4-3.29.1	Mar 30, 2022	Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
CVE-2022-22817	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Jan 7, 2022	PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2021-44716	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Jan 1, 2022	net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-43818	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Dec 13, 2021	lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s
CVE-2021-43813	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Dec 10, 2021	Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
CVE-2021-41184	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Oct 26, 2021	jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option
CVE-2021-41183	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Oct 26, 2021	jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `Text
CVE-2021-41182	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Oct 26, 2021	jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altFi
CVE-2021-39226	—	KEV	< 6.7.4-3.29.1	6.7.4-3.29.1	Oct 5, 2021	Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public
CVE-2021-40085	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Aug 31, 2021	An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
CVE-2021-38155	—		< 6.7.4-3.26.1	6.7.4-3.26.1	Aug 6, 2021	OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an
CVE-2021-33203	—		< 6.7.4-3.23.2	6.7.4-3.23.2	Jun 8, 2021	Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te
CVE-2021-33571	—		< 6.7.4-3.23.2	6.7.4-3.23.2	Jun 8, 2021	In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4

CVE-2022-23451Sep 6, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452Sep 1, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-34265Jul 4, 2022
affected < 6.7.4-3.29.1fixed 6.7.4-3.29.1
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l
CVE-2022-29970May 2, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-28346Apr 12, 2022
affected < 6.7.4-3.29.1fixed 6.7.4-3.29.1
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-24790Mar 30, 2022
affected < 6.7.4-3.29.1fixed 6.7.4-3.29.1
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
CVE-2022-22817Jan 7, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816Jan 7, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815Jan 7, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2021-44716Jan 1, 2022
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-43818Dec 13, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s
CVE-2021-43813Dec 10, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
CVE-2021-41184Oct 26, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option
CVE-2021-41183Oct 26, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text
CVE-2021-41182Oct 26, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altFi
CVE-2021-39226KEVOct 5, 2021
affected < 6.7.4-3.29.1fixed 6.7.4-3.29.1
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public
CVE-2021-40085Aug 31, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
CVE-2021-38155Aug 6, 2021
affected < 6.7.4-3.26.1fixed 6.7.4-3.26.1
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an
CVE-2021-33203Jun 8, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te
CVE-2021-33571Jun 8, 2021
affected < 6.7.4-3.23.2fixed 6.7.4-3.23.2
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4

Page 1 of 5