rpm package

suse/openstack-monasca-agent&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (34)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2022-23307	—	< 2.8.2~dev5-3.18.1	2.8.2~dev5-3.18.1	Jan 18, 2022	CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305	—	< 2.8.2~dev5-3.18.1	2.8.2~dev5-3.18.1	Jan 18, 2022	By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302	—	< 2.8.2~dev5-3.18.1	2.8.2~dev5-3.18.1	Jan 18, 2022	JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2021-4104	—	< 2.8.2~dev5-3.12.1	2.8.2~dev5-3.12.1	Dec 14, 2021	JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
CVE-2020-10743	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 2, 2021	It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2020-10177	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 25, 2020	Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-11538	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 25, 2020	In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
CVE-2020-10994	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 25, 2020	In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2020-10378	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 25, 2020	In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
CVE-2020-8184	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 19, 2020	A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
CVE-2020-10755	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 10, 2020	An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th
CVE-2020-13379	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 3, 2020	The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2020-13596	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 3, 2020	An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
CVE-2020-13254	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jun 3, 2020	An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2020-12052	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Apr 27, 2020	Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2018-17954	—	< 2.8.1~dev13-3.6.2	2.8.1~dev13-3.6.2	Apr 3, 2020	An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
CVE-2020-9402	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Mar 5, 2020	Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl
CVE-2020-7471	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Feb 3, 2020	Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl
CVE-2019-16792	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jan 22, 2020	Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
CVE-2019-19911	—	< 2.8.2~dev5-3.9.3	2.8.2~dev5-3.9.3	Jan 5, 2020	There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho

CVE-2022-23307Jan 18, 2022
affected < 2.8.2~dev5-3.18.1fixed 2.8.2~dev5-3.18.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305Jan 18, 2022
affected < 2.8.2~dev5-3.18.1fixed 2.8.2~dev5-3.18.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302Jan 18, 2022
affected < 2.8.2~dev5-3.18.1fixed 2.8.2~dev5-3.18.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2021-4104Dec 14, 2021
affected < 2.8.2~dev5-3.12.1fixed 2.8.2~dev5-3.12.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
CVE-2020-10743Jun 2, 2021
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2020-10177Jun 25, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
CVE-2020-11538Jun 25, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
CVE-2020-10994Jun 25, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2020-10378Jun 25, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
CVE-2020-8184Jun 19, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
CVE-2020-10755Jun 10, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th
CVE-2020-13379Jun 3, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2020-13596Jun 3, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
CVE-2020-13254Jun 3, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2020-12052Apr 27, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2018-17954Apr 3, 2020
affected < 2.8.1~dev13-3.6.2fixed 2.8.1~dev13-3.6.2
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
CVE-2020-9402Mar 5, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl
CVE-2020-7471Feb 3, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl
CVE-2019-16792Jan 22, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
CVE-2019-19911Jan 5, 2020
affected < 2.8.2~dev5-3.9.3fixed 2.8.2~dev5-3.9.3
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho

Page 1 of 2