VYPR

rpm package

suse/openstack-horizon-plugin-gbp-ui&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (36)

  • CVE-2021-40085MedAug 31, 2021
    affected < 14.0.1~dev3-3.9.1fixed 14.0.1~dev3-3.9.1

    An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.

  • CVE-2021-38155HigAug 6, 2021
    affected < 14.0.1~dev3-3.9.1fixed 14.0.1~dev3-3.9.1

    OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an

  • CVE-2021-21419MedMay 7, 2021
    affected < 12.0.1~dev5-3.6.1fixed 12.0.1~dev5-3.6.1

    Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web

  • CVE-2021-28957MedMar 21, 2021
    affected < 14.0.1~dev3-3.9.1fixed 14.0.1~dev3-3.9.1

    An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit thi

  • CVE-2020-26298MedJan 11, 2021
    affected < 12.0.1~dev5-3.6.1fixed 12.0.1~dev5-3.6.1

    Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the

  • CVE-2020-27783MedDec 3, 2020
    affected < 14.0.1~dev3-3.9.1fixed 14.0.1~dev3-3.9.1

    A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

  • CVE-2019-20933CriNov 19, 2020
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

  • CVE-2020-24303MedOct 28, 2020
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

  • CVE-2020-26137MedSep 30, 2020
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

  • CVE-2020-1734HigMar 3, 2020
    affected < 14.0.1~dev4-3.12.1fixed 14.0.1~dev4-3.12.1

    A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitr

  • CVE-2020-5390HigJan 13, 2020
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus

  • CVE-2019-11287HigNov 23, 2019
    affected < 14.0.1~dev4-3.12.1fixed 14.0.1~dev4-3.12.1

    Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP

  • CVE-2016-10745HigApr 8, 2019
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

  • CVE-2019-10906HigApr 7, 2019
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

  • CVE-2019-8341CriFeb 15, 2019
    affected < 12.0.1~dev3-3.3.4fixed 12.0.1~dev3-3.3.4

    An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:

  • CVE-2018-19787MedDec 2, 2018
    affected < 14.0.1~dev3-3.9.1fixed 14.0.1~dev3-3.9.1

    An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar

Page 2 of 2