rpm package
suse/openstack-barbican&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (48)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-19844 | — | < 7.0.1~dev24-3.9.5 | 7.0.1~dev24-3.9.5 | Dec 18, 2019 | Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo | ||
| CVE-2019-16770 | — | < 7.0.1~dev24-3.6.4 | 7.0.1~dev24-3.6.4 | Dec 5, 2019 | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p | ||
| CVE-2019-18874 | — | < 7.0.1~dev21-3.3.1 | 7.0.1~dev21-3.3.1 | Nov 12, 2019 | psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. | ||
| CVE-2019-17134 | — | < 7.0.1~dev21-3.3.1 | 7.0.1~dev21-3.3.1 | Oct 8, 2019 | Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent | ||
| CVE-2019-16865 | — | < 7.0.1~dev24-3.9.5 | 7.0.1~dev24-3.9.5 | Oct 4, 2019 | An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image. | ||
| CVE-2019-13117 | — | < 7.0.1~dev24-3.6.4 | 7.0.1~dev24-3.6.4 | Jul 1, 2019 | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. | ||
| CVE-2019-3828 | — | < 7.0.1~dev24-3.9.5 | 7.0.1~dev24-3.9.5 | Mar 27, 2019 | Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. | ||
| CVE-2018-19787 | — | < 7.0.1~dev24-3.14.1 | 7.0.1~dev24-3.14.1 | Dec 2, 2018 | An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar |
- CVE-2019-19844Dec 18, 2019affected < 7.0.1~dev24-3.9.5fixed 7.0.1~dev24-3.9.5
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo
- CVE-2019-16770Dec 5, 2019affected < 7.0.1~dev24-3.6.4fixed 7.0.1~dev24-3.6.4
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
- CVE-2019-18874Nov 12, 2019affected < 7.0.1~dev21-3.3.1fixed 7.0.1~dev21-3.3.1
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
- CVE-2019-17134Oct 8, 2019affected < 7.0.1~dev21-3.3.1fixed 7.0.1~dev21-3.3.1
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent
- CVE-2019-16865Oct 4, 2019affected < 7.0.1~dev24-3.9.5fixed 7.0.1~dev24-3.9.5
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
- CVE-2019-13117Jul 1, 2019affected < 7.0.1~dev24-3.6.4fixed 7.0.1~dev24-3.6.4
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
- CVE-2019-3828Mar 27, 2019affected < 7.0.1~dev24-3.9.5fixed 7.0.1~dev24-3.9.5
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
- CVE-2018-19787Dec 2, 2018affected < 7.0.1~dev24-3.14.1fixed 7.0.1~dev24-3.14.1
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar
Page 3 of 3