rpm package
suse/openstack-heat-templates&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (43)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-22141 | — | < 0.0.0+git.1628179051.7d761bff-3.12.1 | 0.0.0+git.1628179051.7d761bff-3.12.1 | Nov 18, 2022 | An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. | ||
| CVE-2022-34265 | — | < 0.0.0+git.1654529662.75fa04a7-3.15.1 | 0.0.0+git.1654529662.75fa04a7-3.15.1 | Jul 4, 2022 | An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l | ||
| CVE-2022-28346 | — | < 0.0.0+git.1654529662.75fa04a7-3.15.1 | 0.0.0+git.1654529662.75fa04a7-3.15.1 | Apr 12, 2022 | An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. | ||
| CVE-2022-24790 | — | < 0.0.0+git.1654529662.75fa04a7-3.15.1 | 0.0.0+git.1654529662.75fa04a7-3.15.1 | Mar 30, 2022 | Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta | ||
| CVE-2021-41136 | — | < 0.0.0+git.1628179051.7d761bff-3.12.1 | 0.0.0+git.1628179051.7d761bff-3.12.1 | Oct 12, 2021 | Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p | ||
| CVE-2021-39226 | — | KEV | < 0.0.0+git.1654529662.75fa04a7-3.15.1 | 0.0.0+git.1654529662.75fa04a7-3.15.1 | Oct 5, 2021 | Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public | |
| CVE-2020-10743 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2021-21419 | — | < 0.0.0+git.1628179051.7d761bff-3.12.1 | 0.0.0+git.1628179051.7d761bff-3.12.1 | May 7, 2021 | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web | ||
| CVE-2020-26298 | — | < 0.0.0+git.1628179051.7d761bff-3.12.1 | 0.0.0+git.1628179051.7d761bff-3.12.1 | Jan 11, 2021 | Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the | ||
| CVE-2019-20933 | — | < 0.0.0+git.1605509190.64f020b6-3.9.3 | 0.0.0+git.1605509190.64f020b6-3.9.3 | Nov 19, 2020 | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). | ||
| CVE-2020-24303 | — | < 0.0.0+git.1605509190.64f020b6-3.9.3 | 0.0.0+git.1605509190.64f020b6-3.9.3 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | ||
| CVE-2020-26137 | — | < 0.0.0+git.1605509190.64f020b6-3.9.3 | 0.0.0+git.1605509190.64f020b6-3.9.3 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-10177 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | ||
| CVE-2020-11538 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 25, 2020 | In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. | ||
| CVE-2020-10994 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | ||
| CVE-2020-10378 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | ||
| CVE-2020-8184 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 19, 2020 | A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. | ||
| CVE-2020-10755 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 10, 2020 | An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th | ||
| CVE-2020-13379 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. |
- CVE-2021-22141Nov 18, 2022affected < 0.0.0+git.1628179051.7d761bff-3.12.1fixed 0.0.0+git.1628179051.7d761bff-3.12.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
- CVE-2022-34265Jul 4, 2022affected < 0.0.0+git.1654529662.75fa04a7-3.15.1fixed 0.0.0+git.1654529662.75fa04a7-3.15.1
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l
- CVE-2022-28346Apr 12, 2022affected < 0.0.0+git.1654529662.75fa04a7-3.15.1fixed 0.0.0+git.1654529662.75fa04a7-3.15.1
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
- CVE-2022-24790Mar 30, 2022affected < 0.0.0+git.1654529662.75fa04a7-3.15.1fixed 0.0.0+git.1654529662.75fa04a7-3.15.1
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
- CVE-2021-41136Oct 12, 2021affected < 0.0.0+git.1628179051.7d761bff-3.12.1fixed 0.0.0+git.1628179051.7d761bff-3.12.1
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
- affected < 0.0.0+git.1654529662.75fa04a7-3.15.1fixed 0.0.0+git.1654529662.75fa04a7-3.15.1
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public
- CVE-2020-10743Jun 2, 2021affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2021-21419May 7, 2021affected < 0.0.0+git.1628179051.7d761bff-3.12.1fixed 0.0.0+git.1628179051.7d761bff-3.12.1
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
- CVE-2020-26298Jan 11, 2021affected < 0.0.0+git.1628179051.7d761bff-3.12.1fixed 0.0.0+git.1628179051.7d761bff-3.12.1
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
- CVE-2019-20933Nov 19, 2020affected < 0.0.0+git.1605509190.64f020b6-3.9.3fixed 0.0.0+git.1605509190.64f020b6-3.9.3
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
- CVE-2020-24303Oct 28, 2020affected < 0.0.0+git.1605509190.64f020b6-3.9.3fixed 0.0.0+git.1605509190.64f020b6-3.9.3
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- CVE-2020-26137Sep 29, 2020affected < 0.0.0+git.1605509190.64f020b6-3.9.3fixed 0.0.0+git.1605509190.64f020b6-3.9.3
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-10177Jun 25, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- CVE-2020-11538Jun 25, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
- CVE-2020-10994Jun 25, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- CVE-2020-10378Jun 25, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- CVE-2020-8184Jun 19, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
- CVE-2020-10755Jun 10, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th
- CVE-2020-13379Jun 3, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
Page 1 of 3