rpm package
suse/openstack-heat-templates&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (43)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-10906 | — | < 0.0.0+git.1605509190.64f020b6-3.9.3 | 0.0.0+git.1605509190.64f020b6-3.9.3 | Apr 6, 2019 | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | ||
| CVE-2019-3828 | — | < 0.0.0+git.1582270132.8a20477-3.6.2 | 0.0.0+git.1582270132.8a20477-3.6.2 | Mar 27, 2019 | Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. | ||
| CVE-2019-8341 | — | < 0.0.0+git.1605509190.64f020b6-3.9.3 | 0.0.0+git.1605509190.64f020b6-3.9.3 | Feb 15, 2019 | An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: |
- CVE-2019-10906Apr 6, 2019affected < 0.0.0+git.1605509190.64f020b6-3.9.3fixed 0.0.0+git.1605509190.64f020b6-3.9.3
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
- CVE-2019-3828Mar 27, 2019affected < 0.0.0+git.1582270132.8a20477-3.6.2fixed 0.0.0+git.1582270132.8a20477-3.6.2
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
- CVE-2019-8341Feb 15, 2019affected < 0.0.0+git.1605509190.64f020b6-3.9.3fixed 0.0.0+git.1605509190.64f020b6-3.9.3
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:
Page 3 of 3