VYPR

rpm package

suse/openstack-heat-gbp&distro=SUSE OpenStack Cloud Crowbar 9

pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209

Vulnerabilities (30)

  • CVE-2020-26298Jan 11, 2021
    affected < 12.0.1~dev4-3.6.1fixed 12.0.1~dev4-3.6.1

    Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the

  • CVE-2020-27783Dec 3, 2020
    affected < 14.0.1~dev4-3.9.1fixed 14.0.1~dev4-3.9.1

    A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

  • CVE-2019-20933Nov 19, 2020
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

  • CVE-2020-24303Oct 28, 2020
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

  • CVE-2020-26137Sep 29, 2020
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

  • CVE-2020-5390Jan 13, 2020
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus

  • CVE-2016-10745Apr 8, 2019
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

  • CVE-2019-10906Apr 6, 2019
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

  • CVE-2019-8341Feb 15, 2019
    affected < 12.0.1~dev2-3.3.4fixed 12.0.1~dev2-3.3.4

    An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:

  • CVE-2018-19787Dec 2, 2018
    affected < 14.0.1~dev4-3.9.1fixed 14.0.1~dev4-3.9.1

    An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar

Page 2 of 2