rpm package

suse/kibana&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (49)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-22141	—	< 4.6.6-4.12.1	4.6.6-4.12.1	Nov 18, 2022	An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2021-41136	—	< 4.6.6-4.12.1	4.6.6-4.12.1	Oct 12, 2021	Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
CVE-2021-33203	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Jun 8, 2021	Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te
CVE-2021-33571	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Jun 8, 2021	In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4
CVE-2020-10743	—	< 4.6.3-4.3.2	4.6.3-4.3.2	Jun 2, 2021	It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2021-21419	—	< 4.6.6-4.12.1	4.6.6-4.12.1	May 7, 2021	Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
CVE-2021-31542	—	< 4.6.6-4.9.2	4.6.6-4.9.2	May 5, 2021	In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-28658	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Apr 6, 2021	In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVE-2021-27358	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Mar 18, 2021	The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
CVE-2019-25025	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Mar 5, 2021	The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci
CVE-2021-23336	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Feb 15, 2021	The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
CVE-2020-17516	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Feb 3, 2021	Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
CVE-2021-3281	—	< 4.6.3-4.6.1	4.6.3-4.6.1	Feb 2, 2021	In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
CVE-2021-21238	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Jan 21, 2021	PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
CVE-2021-21239	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Jan 21, 2021	PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
CVE-2020-26298	—	< 4.6.6-4.12.1	4.6.6-4.12.1	Jan 11, 2021	Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
CVE-2020-29651	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Dec 9, 2020	A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
CVE-2020-24303	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Oct 28, 2020	Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-11110	—	< 4.6.6-4.9.2	4.6.6-4.9.2	Jul 27, 2020	Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-10177	—	< 4.6.3-4.3.2	4.6.3-4.3.2	Jun 25, 2020	Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

CVE-2021-22141Nov 18, 2022
affected < 4.6.6-4.12.1fixed 4.6.6-4.12.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2021-41136Oct 12, 2021
affected < 4.6.6-4.12.1fixed 4.6.6-4.12.1
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
CVE-2021-33203Jun 8, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te
CVE-2021-33571Jun 8, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4
CVE-2020-10743Jun 2, 2021
affected < 4.6.3-4.3.2fixed 4.6.3-4.3.2
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2021-21419May 7, 2021
affected < 4.6.6-4.12.1fixed 4.6.6-4.12.1
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
CVE-2021-31542May 5, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-28658Apr 6, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVE-2021-27358Mar 18, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
CVE-2019-25025Mar 5, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci
CVE-2021-23336Feb 15, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
CVE-2020-17516Feb 3, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
CVE-2021-3281Feb 2, 2021
affected < 4.6.3-4.6.1fixed 4.6.3-4.6.1
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
CVE-2021-21238Jan 21, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
CVE-2021-21239Jan 21, 2021
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
CVE-2020-26298Jan 11, 2021
affected < 4.6.6-4.12.1fixed 4.6.6-4.12.1
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
CVE-2020-29651Dec 9, 2020
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
CVE-2020-24303Oct 28, 2020
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-11110Jul 27, 2020
affected < 4.6.6-4.9.2fixed 4.6.6-4.9.2
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-10177Jun 25, 2020
affected < 4.6.3-4.3.2fixed 4.6.3-4.3.2
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

Page 1 of 3