rpm package
suse/openstack-keystone-doc&distro=SUSE OpenStack Cloud 7
pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%207
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-15043 | — | < 10.0.3~dev9-7.18.2 | 10.0.3~dev9-7.18.2 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | ||
| CVE-2019-5477 | — | < 10.0.3~dev9-7.18.2 | 10.0.3~dev9-7.18.2 | Aug 16, 2019 | A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a | ||
| CVE-2018-19039 | — | < 10.0.3~dev9-7.18.2 | 10.0.3~dev9-7.18.2 | Dec 13, 2018 | Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. | ||
| CVE-2018-15727 | — | < 10.0.3~dev9-7.18.2 | 10.0.3~dev9-7.18.2 | Aug 29, 2018 | Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. | ||
| CVE-2018-14432 | — | < 10.0.3~dev9-7.12.1 | 10.0.3~dev9-7.12.1 | Jul 31, 2018 | In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access | ||
| CVE-2017-7400 | Med | 4.8 | < 10.0.2~a0~dev2-6.2 | 10.0.2~a0~dev2-6.2 | Apr 3, 2017 | OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping. | |
| CVE-2017-7214 | Cri | 9.8 | < 10.0.2~a0~dev2-6.2 | 10.0.2~a0~dev2-6.2 | Mar 21, 2017 | An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization | |
| CVE-2016-10127 | Cri | 9.0 | < 10.0.3~dev9-7.18.2 | 10.0.3~dev9-7.18.2 | Mar 3, 2017 | PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response. |
- CVE-2019-15043Sep 3, 2019affected < 10.0.3~dev9-7.18.2fixed 10.0.3~dev9-7.18.2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2019-5477Aug 16, 2019affected < 10.0.3~dev9-7.18.2fixed 10.0.3~dev9-7.18.2
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a
- CVE-2018-19039Dec 13, 2018affected < 10.0.3~dev9-7.18.2fixed 10.0.3~dev9-7.18.2
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
- CVE-2018-15727Aug 29, 2018affected < 10.0.3~dev9-7.18.2fixed 10.0.3~dev9-7.18.2
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
- CVE-2018-14432Jul 31, 2018affected < 10.0.3~dev9-7.12.1fixed 10.0.3~dev9-7.12.1
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access
- affected < 10.0.2~a0~dev2-6.2fixed 10.0.2~a0~dev2-6.2
OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
- affected < 10.0.2~a0~dev2-6.2fixed 10.0.2~a0~dev2-6.2
An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization
- affected < 10.0.3~dev9-7.18.2fixed 10.0.3~dev9-7.18.2
PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.