rpm package

suse/openstack-gnocchi&distro=SUSE OpenStack Cloud 7

pkg:rpm/suse/openstack-gnocchi&distro=SUSE%20OpenStack%20Cloud%207

Vulnerabilities (15)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-17376		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Aug 26, 2020	An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
CVE-2020-11110		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jul 27, 2020	Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-10177		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 25, 2020	Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-10994		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 25, 2020	In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2020-10378		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 25, 2020	In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
CVE-2020-13379		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 3, 2020	The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2018-18625		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 2, 2020	Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 2, 2020	Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18623		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Jun 2, 2020	Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2020-10744		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	May 15, 2020	An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18
CVE-2020-12052		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Apr 27, 2020	Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2018-17954		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Apr 3, 2020	An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
CVE-2020-1733		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Mar 11, 2020	A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is cr
CVE-2019-15043		—	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Sep 3, 2019	In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2016-0775	Med	6.5	< 3.0.7~dev1-2.8.2	3.0.7~dev1-2.8.2	Apr 13, 2016	Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.

CVE-2020-17376Aug 26, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
CVE-2020-11110Jul 27, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-10177Jun 25, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-10994Jun 25, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2020-10378Jun 25, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
CVE-2020-13379Jun 3, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2018-18625Jun 2, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624Jun 2, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18623Jun 2, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2020-10744May 15, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18
CVE-2020-12052Apr 27, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2018-17954Apr 3, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
CVE-2020-1733Mar 11, 2020
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is cr
CVE-2019-15043Sep 3, 2019
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2016-0775MedApr 13, 2016
affected < 3.0.7~dev1-2.8.2fixed 3.0.7~dev1-2.8.2
Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.