rpm package
suse/mgr-daemon&distro=SUSE Manager Client Tools 15
pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2015
Vulnerabilities (45)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-43798 | — | KEV | < 4.3.8-150000.1.44.1 | 4.3.8-150000.1.44.1 | Dec 7, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, | |
| CVE-2021-3918 | — | < 4.3.7-150000.1.41.1 | 4.3.7-150000.1.41.1 | Nov 13, 2021 | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | ||
| CVE-2021-3583 | — | < 4.3.5-150000.1.35.1 | 4.3.5-150000.1.35.1 | Sep 22, 2021 | A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special templ | ||
| CVE-2021-3807 | — | < 4.3.7-150000.1.41.1 | 4.3.7-150000.1.41.1 | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2021-20191 | — | < 4.3.5-150000.1.35.1 | 4.3.5-150000.1.35.1 | May 26, 2021 | A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulne | ||
| CVE-2021-20178 | — | < 4.3.5-150000.1.35.1 | 4.3.5-150000.1.35.1 | May 26, 2021 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f | ||
| CVE-2021-20228 | — | < 4.3.5-150000.1.35.1 | 4.3.5-150000.1.35.1 | Apr 29, 2021 | A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from | ||
| CVE-2021-3447 | — | < 4.3.5-150000.1.35.1 | 4.3.5-150000.1.35.1 | Apr 1, 2021 | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_lo | ||
| CVE-2020-7753 | — | < 4.3.7-150000.1.41.1 | 4.3.7-150000.1.41.1 | Oct 27, 2020 | All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim(). | ||
| CVE-2020-14365 | — | < 4.3.9-150000.1.47.2 | 4.3.9-150000.1.47.2 | Sep 23, 2020 | A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be | ||
| CVE-2020-14332 | — | < 4.3.9-150000.1.47.2 | 4.3.9-150000.1.47.2 | Sep 11, 2020 | A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t | ||
| CVE-2020-14330 | — | < 4.3.9-150000.1.47.2 | 4.3.9-150000.1.47.2 | Sep 11, 2020 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user | ||
| CVE-2020-13379 | — | < 4.1.1-1.14.2 | 4.1.1-1.14.2 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-10744 | — | < 4.3.9-150000.1.47.2 | 4.3.9-150000.1.47.2 | May 15, 2020 | An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18 | ||
| CVE-2020-12245 | — | < 4.1.1-1.14.2 | 4.1.1-1.14.2 | Apr 24, 2020 | Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. | ||
| CVE-2020-1753 | — | < 4.3.9-150000.1.47.2 | 4.3.9-150000.1.47.2 | Mar 16, 2020 | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are | ||
| CVE-2019-10215 | — | < 4.1.1-1.14.2 | 4.1.1-1.14.2 | Oct 8, 2019 | Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser. | ||
| CVE-2019-15043 | — | < 4.1.1-1.14.2 | 4.1.1-1.14.2 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | ||
| CVE-2019-10136 | — | < 4.0.7-1.8.1 | 4.0.7-1.8.1 | Jul 2, 2019 | It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. | ||
| CVE-2016-8614 | — | < 4.3.9-150000.1.47.2 | 4.3.9-150000.1.47.2 | Jul 31, 2018 | A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. |
- affected < 4.3.8-150000.1.44.1fixed 4.3.8-150000.1.44.1
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`,
- CVE-2021-3918Nov 13, 2021affected < 4.3.7-150000.1.41.1fixed 4.3.7-150000.1.41.1
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3583Sep 22, 2021affected < 4.3.5-150000.1.35.1fixed 4.3.5-150000.1.35.1
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special templ
- CVE-2021-3807Sep 17, 2021affected < 4.3.7-150000.1.41.1fixed 4.3.7-150000.1.41.1
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-20191May 26, 2021affected < 4.3.5-150000.1.35.1fixed 4.3.5-150000.1.35.1
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulne
- CVE-2021-20178May 26, 2021affected < 4.3.5-150000.1.35.1fixed 4.3.5-150000.1.35.1
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
- CVE-2021-20228Apr 29, 2021affected < 4.3.5-150000.1.35.1fixed 4.3.5-150000.1.35.1
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from
- CVE-2021-3447Apr 1, 2021affected < 4.3.5-150000.1.35.1fixed 4.3.5-150000.1.35.1
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_lo
- CVE-2020-7753Oct 27, 2020affected < 4.3.7-150000.1.41.1fixed 4.3.7-150000.1.41.1
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
- CVE-2020-14365Sep 23, 2020affected < 4.3.9-150000.1.47.2fixed 4.3.9-150000.1.47.2
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be
- CVE-2020-14332Sep 11, 2020affected < 4.3.9-150000.1.47.2fixed 4.3.9-150000.1.47.2
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t
- CVE-2020-14330Sep 11, 2020affected < 4.3.9-150000.1.47.2fixed 4.3.9-150000.1.47.2
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user
- CVE-2020-13379Jun 3, 2020affected < 4.1.1-1.14.2fixed 4.1.1-1.14.2
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-10744May 15, 2020affected < 4.3.9-150000.1.47.2fixed 4.3.9-150000.1.47.2
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18
- CVE-2020-12245Apr 24, 2020affected < 4.1.1-1.14.2fixed 4.1.1-1.14.2
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
- CVE-2020-1753Mar 16, 2020affected < 4.3.9-150000.1.47.2fixed 4.3.9-150000.1.47.2
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are
- CVE-2019-10215Oct 8, 2019affected < 4.1.1-1.14.2fixed 4.1.1-1.14.2
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
- CVE-2019-15043Sep 3, 2019affected < 4.1.1-1.14.2fixed 4.1.1-1.14.2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2019-10136Jul 2, 2019affected < 4.0.7-1.8.1fixed 4.0.7-1.8.1
It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum.
- CVE-2016-8614Jul 31, 2018affected < 4.3.9-150000.1.47.2fixed 4.3.9-150000.1.47.2
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
Page 2 of 3