rpm package

suse/monasca-installer&distro=SUSE OpenStack Cloud 7

pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207

Vulnerabilities (47)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-19911	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Jan 5, 2020	There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
CVE-2020-5312	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Jan 3, 2020	libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5313	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Jan 3, 2020	libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2019-16789	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Dec 26, 2019	In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
CVE-2019-16785	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Dec 20, 2019	Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if
CVE-2019-16786	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Dec 20, 2019	Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ
CVE-2019-19844	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Dec 18, 2019	Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo
CVE-2019-18874	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Nov 12, 2019	psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-16865	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Oct 4, 2019	An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2019-15043	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Sep 3, 2019	In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2019-15026	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Aug 30, 2019	memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
CVE-2019-0201	—	< 20180608_12.47-12.1	20180608_12.47-12.1	May 23, 2019	An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth
CVE-2019-11596	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Apr 29, 2019	In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
CVE-2019-3828	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Mar 27, 2019	Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
CVE-2019-3498	—	< 20180608_12.47-12.1	20180608_12.47-12.1	Jan 9, 2019	In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use
CVE-2018-1288	—	< 20180608_12.47-9.1	20180608_12.47-9.1	Jul 26, 2018	In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
CVE-2017-7481	—	< 20170912_10.45-5.1	20170912_10.45-5.1	Jul 19, 2018	Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default,
CVE-2017-7466	—	< 20170912_10.45-5.1	20170912_10.45-5.1	Jun 22, 2018	Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbi
CVE-2018-12099	—	< 20180608_12.47-9.1	20180608_12.47-9.1	Jun 11, 2018	Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
CVE-2016-9587	—	< 20170912_10.45-5.1	20170912_10.45-5.1	Apr 24, 2018	Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use thi

CVE-2019-19911Jan 5, 2020
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
CVE-2020-5312Jan 3, 2020
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5313Jan 3, 2020
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2019-16789Dec 26, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
CVE-2019-16785Dec 20, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if
CVE-2019-16786Dec 20, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ
CVE-2019-19844Dec 18, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo
CVE-2019-18874Nov 12, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-16865Oct 4, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2019-15043Sep 3, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2019-15026Aug 30, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
CVE-2019-0201May 23, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth
CVE-2019-11596Apr 29, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
CVE-2019-3828Mar 27, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
CVE-2019-3498Jan 9, 2019
affected < 20180608_12.47-12.1fixed 20180608_12.47-12.1
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use
CVE-2018-1288Jul 26, 2018
affected < 20180608_12.47-9.1fixed 20180608_12.47-9.1
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
CVE-2017-7481Jul 19, 2018
affected < 20170912_10.45-5.1fixed 20170912_10.45-5.1
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default,
CVE-2017-7466Jun 22, 2018
affected < 20170912_10.45-5.1fixed 20170912_10.45-5.1
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbi
CVE-2018-12099Jun 11, 2018
affected < 20180608_12.47-9.1fixed 20180608_12.47-9.1
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
CVE-2016-9587Apr 24, 2018
affected < 20170912_10.45-5.1fixed 20170912_10.45-5.1
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use thi

Page 2 of 3