rpm package
suse/openstack-neutron-vpnaas&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-20933 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Nov 19, 2020 | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). | ||
| CVE-2020-24303 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | ||
| CVE-2020-26137 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2018-17954 | — | < 13.0.2~dev6-3.6.2 | 13.0.2~dev6-3.6.2 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | ||
| CVE-2020-5390 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | ||
| CVE-2019-16770 | — | < 13.0.2~dev6-3.6.2 | 13.0.2~dev6-3.6.2 | Dec 5, 2019 | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p | ||
| CVE-2019-13117 | — | < 13.0.2~dev6-3.6.2 | 13.0.2~dev6-3.6.2 | Jul 1, 2019 | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. | ||
| CVE-2019-11068 | — | < 13.0.2~dev4-3.3.7 | 13.0.2~dev4-3.3.7 | Apr 10, 2019 | libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. | ||
| CVE-2016-10745 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Apr 8, 2019 | In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. | ||
| CVE-2019-10906 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Apr 6, 2019 | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | ||
| CVE-2019-10876 | — | < 13.0.2~dev4-3.3.7 | 13.0.2~dev4-3.3.7 | Apr 5, 2019 | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes | ||
| CVE-2019-8341 | — | < 13.0.2~dev6-3.9.2 | 13.0.2~dev6-3.9.2 | Feb 15, 2019 | An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: | ||
| CVE-2018-19039 | — | < 13.0.2~dev4-3.3.7 | 13.0.2~dev4-3.3.7 | Dec 13, 2018 | Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. |
- CVE-2019-20933Nov 19, 2020affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
- CVE-2020-24303Oct 28, 2020affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- CVE-2020-26137Sep 29, 2020affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2018-17954Apr 3, 2020affected < 13.0.2~dev6-3.6.2fixed 13.0.2~dev6-3.6.2
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- CVE-2020-5390Jan 13, 2020affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- CVE-2019-16770Dec 5, 2019affected < 13.0.2~dev6-3.6.2fixed 13.0.2~dev6-3.6.2
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
- CVE-2019-13117Jul 1, 2019affected < 13.0.2~dev6-3.6.2fixed 13.0.2~dev6-3.6.2
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
- CVE-2019-11068Apr 10, 2019affected < 13.0.2~dev4-3.3.7fixed 13.0.2~dev4-3.3.7
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
- CVE-2016-10745Apr 8, 2019affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
- CVE-2019-10906Apr 6, 2019affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
- CVE-2019-10876Apr 5, 2019affected < 13.0.2~dev4-3.3.7fixed 13.0.2~dev4-3.3.7
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes
- CVE-2019-8341Feb 15, 2019affected < 13.0.2~dev6-3.9.2fixed 13.0.2~dev6-3.9.2
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:
- CVE-2018-19039Dec 13, 2018affected < 13.0.2~dev4-3.3.7fixed 13.0.2~dev4-3.3.7
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.