rpm package
suse/openstack-neutron&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (96)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-10378 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | ||
| CVE-2020-8184 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jun 19, 2020 | A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. | ||
| CVE-2020-10755 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jun 10, 2020 | An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th | ||
| CVE-2020-13379 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||
| CVE-2020-13254 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | ||
| CVE-2018-18625 | — | < 13.0.8~dev95-3.28.3 | 13.0.8~dev95-3.28.3 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18624 | — | < 13.0.8~dev95-3.28.3 | 13.0.8~dev95-3.28.3 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18623 | — | < 13.0.8~dev95-3.28.3 | 13.0.8~dev95-3.28.3 | Jun 2, 2020 | Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2020-12052 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||
| CVE-2018-17954 | — | < 13.0.7~dev48-3.19.3 | 13.0.7~dev48-3.19.3 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | ||
| CVE-2020-9543 | — | < 13.0.8~dev28-3.22.1 | 13.0.8~dev28-3.22.1 | Mar 12, 2020 | OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares o | ||
| CVE-2020-9402 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Mar 5, 2020 | Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl | ||
| CVE-2020-5247 | — | < 13.0.8~dev28-3.22.1 | 13.0.8~dev28-3.22.1 | Feb 28, 2020 | In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entir | ||
| CVE-2020-7471 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Feb 3, 2020 | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl | ||
| CVE-2019-16792 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jan 22, 2020 | Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. | ||
| CVE-2020-5390 | — | < 13.0.8~dev135-3.31.2 | 13.0.8~dev135-3.31.2 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | ||
| CVE-2019-19911 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jan 5, 2020 | There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho | ||
| CVE-2020-5311 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jan 3, 2020 | libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. | ||
| CVE-2020-5312 | — | < 13.0.8~dev68-3.25.3 | 13.0.8~dev68-3.25.3 | Jan 3, 2020 | libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. |
- CVE-2020-10378Jun 25, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- CVE-2020-8184Jun 19, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
- CVE-2020-10755Jun 10, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th
- CVE-2020-13379Jun 3, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- CVE-2020-13254Jun 3, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- CVE-2018-18625Jun 2, 2020affected < 13.0.8~dev95-3.28.3fixed 13.0.8~dev95-3.28.3
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18624Jun 2, 2020affected < 13.0.8~dev95-3.28.3fixed 13.0.8~dev95-3.28.3
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18623Jun 2, 2020affected < 13.0.8~dev95-3.28.3fixed 13.0.8~dev95-3.28.3
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2020-12052Apr 27, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- CVE-2018-17954Apr 3, 2020affected < 13.0.7~dev48-3.19.3fixed 13.0.7~dev48-3.19.3
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- CVE-2020-9543Mar 12, 2020affected < 13.0.8~dev28-3.22.1fixed 13.0.8~dev28-3.22.1
OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares o
- CVE-2020-9402Mar 5, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl
- CVE-2020-5247Feb 28, 2020affected < 13.0.8~dev28-3.22.1fixed 13.0.8~dev28-3.22.1
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entir
- CVE-2020-7471Feb 3, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl
- CVE-2019-16792Jan 22, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
- CVE-2020-5390Jan 13, 2020affected < 13.0.8~dev135-3.31.2fixed 13.0.8~dev135-3.31.2
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- CVE-2019-19911Jan 5, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
- CVE-2020-5311Jan 3, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.
- CVE-2020-5312Jan 3, 2020affected < 13.0.8~dev68-3.25.3fixed 13.0.8~dev68-3.25.3
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
Page 3 of 5