rpm package
suse/hub-xmlrpc-api&distro=SUSE Manager Server Module 4.2
pkg:rpm/suse/hub-xmlrpc-api&distro=SUSE%20Manager%20Server%20Module%204.2
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-22644 | — | < 0.7-150300.3.12.3 | 0.7-150300.3.12.3 | Sep 20, 2023 | A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE. | ||
| CVE-2023-29409 | — | < 0.7-150300.3.14.2 | 0.7-150300.3.14.2 | Aug 2, 2023 | Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr | ||
| CVE-2022-43754 | — | < 0.7-150300.3.9.2 | 0.7-150300.3.9.2 | Nov 10, 2022 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at | ||
| CVE-2022-43753 | — | < 0.7-150300.3.9.2 | 0.7-150300.3.9.2 | Nov 10, 2022 | A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers | ||
| CVE-2022-31255 | — | < 0.7-150300.3.9.2 | 0.7-150300.3.9.2 | Nov 10, 2022 | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker | ||
| CVE-2021-40348 | — | < 0.7-3.3.3 | 0.7-3.3.3 | Nov 1, 2021 | Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to | ||
| CVE-2021-21996 | — | < 0.7-3.3.3 | 0.7-3.3.3 | Sep 8, 2021 | An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. | ||
| CVE-2019-5427 | — | < 0.7-150300.3.6.1 | 0.7-150300.3.6.1 | Apr 22, 2019 | c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. | ||
| CVE-2018-20433 | — | < 0.7-150300.3.6.1 | 0.7-150300.3.6.1 | Dec 24, 2018 | c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. |
- CVE-2023-22644Sep 20, 2023affected < 0.7-150300.3.12.3fixed 0.7-150300.3.12.3
A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
- CVE-2023-29409Aug 2, 2023affected < 0.7-150300.3.14.2fixed 0.7-150300.3.14.2
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr
- CVE-2022-43754Nov 10, 2022affected < 0.7-150300.3.9.2fixed 0.7-150300.3.9.2
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at
- CVE-2022-43753Nov 10, 2022affected < 0.7-150300.3.9.2fixed 0.7-150300.3.9.2
A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers
- CVE-2022-31255Nov 10, 2022affected < 0.7-150300.3.9.2fixed 0.7-150300.3.9.2
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker
- CVE-2021-40348Nov 1, 2021affected < 0.7-3.3.3fixed 0.7-3.3.3
Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to
- CVE-2021-21996Sep 8, 2021affected < 0.7-3.3.3fixed 0.7-3.3.3
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
- CVE-2019-5427Apr 22, 2019affected < 0.7-150300.3.6.1fixed 0.7-150300.3.6.1
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
- CVE-2018-20433Dec 24, 2018affected < 0.7-150300.3.6.1fixed 0.7-150300.3.6.1
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.