rpm package
suse/openstack-cinder&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (83)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-47951 | — | < 13.0.10~dev24-3.37.2 | 13.0.10~dev24-3.37.2 | Jan 26, 2023 | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac | ||
| CVE-2021-22141 | — | < 13.0.10~dev23-3.31.2 | 13.0.10~dev23-3.31.2 | Nov 18, 2022 | An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. | ||
| CVE-2022-23451 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Sep 6, 2022 | An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p | ||
| CVE-2022-23452 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Sep 1, 2022 | An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service. | ||
| CVE-2022-29970 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | May 2, 2022 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | ||
| CVE-2022-22817 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Jan 7, 2022 | PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | ||
| CVE-2022-22816 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. | ||
| CVE-2022-22815 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | ||
| CVE-2021-44716 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | ||
| CVE-2021-43818 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Dec 13, 2021 | lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s | ||
| CVE-2021-43813 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi | ||
| CVE-2021-41184 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Oct 26, 2021 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option | ||
| CVE-2021-41183 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Oct 26, 2021 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text | ||
| CVE-2021-41182 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Oct 26, 2021 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altFi | ||
| CVE-2021-41136 | — | < 13.0.10~dev23-3.31.2 | 13.0.10~dev23-3.31.2 | Oct 12, 2021 | Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p | ||
| CVE-2021-40085 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Aug 31, 2021 | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value. | ||
| CVE-2021-38155 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Aug 6, 2021 | OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an | ||
| CVE-2020-10743 | — | < 13.0.10~dev12-3.22.4 | 13.0.10~dev12-3.22.4 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2021-21419 | — | < 13.0.10~dev23-3.31.2 | 13.0.10~dev23-3.31.2 | May 7, 2021 | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web | ||
| CVE-2021-28957 | — | < 13.0.10~dev24-3.34.2 | 13.0.10~dev24-3.34.2 | Mar 21, 2021 | An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit thi |
- CVE-2022-47951Jan 26, 2023affected < 13.0.10~dev24-3.37.2fixed 13.0.10~dev24-3.37.2
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
- CVE-2021-22141Nov 18, 2022affected < 13.0.10~dev23-3.31.2fixed 13.0.10~dev23-3.31.2
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
- CVE-2022-23451Sep 6, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
- CVE-2022-23452Sep 1, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
- CVE-2022-29970May 2, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
- CVE-2022-22817Jan 7, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
- CVE-2022-22816Jan 7, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
- CVE-2022-22815Jan 7, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
- CVE-2021-44716Jan 1, 2022affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
- CVE-2021-43818Dec 13, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s
- CVE-2021-43813Dec 10, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
- CVE-2021-41184Oct 26, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option
- CVE-2021-41183Oct 26, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text
- CVE-2021-41182Oct 26, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altFi
- CVE-2021-41136Oct 12, 2021affected < 13.0.10~dev23-3.31.2fixed 13.0.10~dev23-3.31.2
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
- CVE-2021-40085Aug 31, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
- CVE-2021-38155Aug 6, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an
- CVE-2020-10743Jun 2, 2021affected < 13.0.10~dev12-3.22.4fixed 13.0.10~dev12-3.22.4
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2021-21419May 7, 2021affected < 13.0.10~dev23-3.31.2fixed 13.0.10~dev23-3.31.2
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
- CVE-2021-28957Mar 21, 2021affected < 13.0.10~dev24-3.34.2fixed 13.0.10~dev24-3.34.2
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit thi
Page 1 of 5