rpm package

suse/openstack-neutron-gbp&distro=SUSE OpenStack Cloud Crowbar 9

pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209

Vulnerabilities (76)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-20933	—	< 12.0.1~dev5-3.19.4	12.0.1~dev5-3.19.4	Nov 19, 2020	InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303	—	< 12.0.1~dev5-3.19.4	12.0.1~dev5-3.19.4	Oct 28, 2020	Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137	—	< 12.0.1~dev5-3.19.4	12.0.1~dev5-3.19.4	Sep 29, 2020	urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-11110	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Jul 27, 2020	Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-13379	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Jun 3, 2020	The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2018-18625	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Jun 2, 2020	Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Jun 2, 2020	Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18623	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Jun 2, 2020	Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2020-12052	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Apr 27, 2020	Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2018-17954	—	< 5.0.1~dev491-3.16.1	5.0.1~dev491-3.16.1	Apr 3, 2020	An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
CVE-2020-1734	—	< 14.0.1~dev46-3.34.1	14.0.1~dev46-3.34.1	Mar 3, 2020	A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitr
CVE-2020-5390	—	< 12.0.1~dev5-3.19.4	12.0.1~dev5-3.19.4	Jan 13, 2020	PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-16770	—	< 5.0.1~dev491-3.16.1	5.0.1~dev491-3.16.1	Dec 5, 2019	In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
CVE-2019-11287	—	< 14.0.1~dev46-3.34.1	14.0.1~dev46-3.34.1	Nov 22, 2019	Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP
CVE-2019-18874	—	< 5.0.1~dev476-3.13.1	5.0.1~dev476-3.13.1	Nov 12, 2019	psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-17134	—	< 5.0.1~dev476-3.13.1	5.0.1~dev476-3.13.1	Oct 8, 2019	Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent
CVE-2019-15043	—	< 12.0.1~dev29-3.25.3	12.0.1~dev29-3.25.3	Sep 3, 2019	In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2019-13611	—	< 5.0.1~dev459-3.7.2	5.0.1~dev459-3.7.2	Jul 15, 2019	An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-13117	—	< 5.0.1~dev491-3.16.1	5.0.1~dev491-3.16.1	Jul 1, 2019	In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
CVE-2019-11324	—	< 5.0.1~dev459-3.7.2	5.0.1~dev459-3.7.2	Apr 18, 2019	The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is

CVE-2019-20933Nov 19, 2020
affected < 12.0.1~dev5-3.19.4fixed 12.0.1~dev5-3.19.4
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
CVE-2020-24303Oct 28, 2020
affected < 12.0.1~dev5-3.19.4fixed 12.0.1~dev5-3.19.4
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-26137Sep 29, 2020
affected < 12.0.1~dev5-3.19.4fixed 12.0.1~dev5-3.19.4
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2020-11110Jul 27, 2020
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-13379Jun 3, 2020
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2018-18625Jun 2, 2020
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624Jun 2, 2020
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18623Jun 2, 2020
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2020-12052Apr 27, 2020
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2018-17954Apr 3, 2020
affected < 5.0.1~dev491-3.16.1fixed 5.0.1~dev491-3.16.1
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
CVE-2020-1734Mar 3, 2020
affected < 14.0.1~dev46-3.34.1fixed 14.0.1~dev46-3.34.1
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitr
CVE-2020-5390Jan 13, 2020
affected < 12.0.1~dev5-3.19.4fixed 12.0.1~dev5-3.19.4
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-16770Dec 5, 2019
affected < 5.0.1~dev491-3.16.1fixed 5.0.1~dev491-3.16.1
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
CVE-2019-11287Nov 22, 2019
affected < 14.0.1~dev46-3.34.1fixed 14.0.1~dev46-3.34.1
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP
CVE-2019-18874Nov 12, 2019
affected < 5.0.1~dev476-3.13.1fixed 5.0.1~dev476-3.13.1
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-17134Oct 8, 2019
affected < 5.0.1~dev476-3.13.1fixed 5.0.1~dev476-3.13.1
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent
CVE-2019-15043Sep 3, 2019
affected < 12.0.1~dev29-3.25.3fixed 12.0.1~dev29-3.25.3
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2019-13611Jul 15, 2019
affected < 5.0.1~dev459-3.7.2fixed 5.0.1~dev459-3.7.2
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-13117Jul 1, 2019
affected < 5.0.1~dev491-3.16.1fixed 5.0.1~dev491-3.16.1
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
CVE-2019-11324Apr 18, 2019
affected < 5.0.1~dev459-3.7.2fixed 5.0.1~dev459-3.7.2
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is

Page 3 of 4