rpm package

suse/influxdb&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (11)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-22141	—	< 1.3.8-4.6.1	1.3.8-4.6.1	Nov 18, 2022	An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2021-41136	—	< 1.3.8-4.6.1	1.3.8-4.6.1	Oct 12, 2021	Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
CVE-2021-21419	—	< 1.3.8-4.6.1	1.3.8-4.6.1	May 7, 2021	Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
CVE-2020-26298	—	< 1.3.8-4.6.1	1.3.8-4.6.1	Jan 11, 2021	Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
CVE-2019-20933	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Nov 19, 2020	InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Oct 28, 2020	Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Sep 29, 2020	urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-5390	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Jan 13, 2020	PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2016-10745	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Apr 8, 2019	In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
CVE-2019-10906	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Apr 6, 2019	In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
CVE-2019-8341	—	< 1.3.8-4.3.3	1.3.8-4.3.3	Feb 15, 2019	An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:

CVE-2021-22141Nov 18, 2022
affected < 1.3.8-4.6.1fixed 1.3.8-4.6.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2021-41136Oct 12, 2021
affected < 1.3.8-4.6.1fixed 1.3.8-4.6.1
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
CVE-2021-21419May 7, 2021
affected < 1.3.8-4.6.1fixed 1.3.8-4.6.1
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
CVE-2020-26298Jan 11, 2021
affected < 1.3.8-4.6.1fixed 1.3.8-4.6.1
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
CVE-2019-20933Nov 19, 2020
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303Oct 28, 2020
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137Sep 29, 2020
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-5390Jan 13, 2020
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2016-10745Apr 8, 2019
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
CVE-2019-10906Apr 6, 2019
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
CVE-2019-8341Feb 15, 2019
affected < 1.3.8-4.3.3fixed 1.3.8-4.3.3
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: