rpm package
suse/openstack-nova&distro=SUSE OpenStack Cloud 8
pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208
Vulnerabilities (116)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-2974 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Oct 16, 2019 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mult | ||
| CVE-2019-2938 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Oct 16, 2019 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromi | ||
| CVE-2017-1002201 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Oct 15, 2019 | In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e | ||
| CVE-2019-14858 | — | < 16.1.9~dev76-3.39.2 | 16.1.9~dev76-3.39.2 | Oct 14, 2019 | A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub par | ||
| CVE-2019-14846 | — | < 16.1.9~dev76-3.39.2 | 16.1.9~dev76-3.39.2 | Oct 8, 2019 | In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not af | ||
| CVE-2019-15043 | — | < 16.1.9~dev7-3.29.3 | 16.1.9~dev7-3.29.3 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | ||
| CVE-2019-15026 | — | < 16.1.9~dev61-3.35.2 | 16.1.9~dev61-3.35.2 | Aug 30, 2019 | memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c. | ||
| CVE-2019-5477 | — | < 16.1.9~dev7-3.29.3 | 16.1.9~dev7-3.29.3 | Aug 16, 2019 | A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a | ||
| CVE-2019-10156 | — | < 16.1.9~dev76-3.39.2 | 16.1.9~dev76-3.39.2 | Jul 30, 2019 | A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any | ||
| CVE-2018-11779 | — | < 16.1.9~dev76-3.39.2 | 16.1.9~dev76-3.39.2 | Jul 25, 2019 | In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class. | ||
| CVE-2019-0202 | — | < 16.1.9~dev76-3.39.2 | 16.1.9~dev76-3.39.2 | Jul 25, 2019 | The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo | ||
| CVE-2019-2805 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mu | ||
| CVE-2019-2758 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr | ||
| CVE-2019-2740 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multi | ||
| CVE-2019-2739 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon | ||
| CVE-2019-2737 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network acc | ||
| CVE-2019-13611 | — | < 16.1.9~dev7-3.29.3 | 16.1.9~dev7-3.29.3 | Jul 15, 2019 | An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. | ||
| CVE-2019-13117 | — | < 16.1.9~dev49-3.32.4 | 16.1.9~dev49-3.32.4 | Jul 1, 2019 | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. | ||
| CVE-2019-0201 | — | < 16.1.9~dev61-3.35.2 | 16.1.9~dev61-3.35.2 | May 23, 2019 | An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth | ||
| CVE-2019-11596 | — | < 16.1.9~dev61-3.35.2 | 16.1.9~dev61-3.35.2 | Apr 29, 2019 | In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c. |
- CVE-2019-2974Oct 16, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mult
- CVE-2019-2938Oct 16, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromi
- CVE-2017-1002201Oct 15, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e
- CVE-2019-14858Oct 14, 2019affected < 16.1.9~dev76-3.39.2fixed 16.1.9~dev76-3.39.2
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub par
- CVE-2019-14846Oct 8, 2019affected < 16.1.9~dev76-3.39.2fixed 16.1.9~dev76-3.39.2
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not af
- CVE-2019-15043Sep 3, 2019affected < 16.1.9~dev7-3.29.3fixed 16.1.9~dev7-3.29.3
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2019-15026Aug 30, 2019affected < 16.1.9~dev61-3.35.2fixed 16.1.9~dev61-3.35.2
memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
- CVE-2019-5477Aug 16, 2019affected < 16.1.9~dev7-3.29.3fixed 16.1.9~dev7-3.29.3
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a
- CVE-2019-10156Jul 30, 2019affected < 16.1.9~dev76-3.39.2fixed 16.1.9~dev76-3.39.2
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any
- CVE-2018-11779Jul 25, 2019affected < 16.1.9~dev76-3.39.2fixed 16.1.9~dev76-3.39.2
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.
- CVE-2019-0202Jul 25, 2019affected < 16.1.9~dev76-3.39.2fixed 16.1.9~dev76-3.39.2
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo
- CVE-2019-2805Jul 23, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mu
- CVE-2019-2758Jul 23, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr
- CVE-2019-2740Jul 23, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multi
- CVE-2019-2739Jul 23, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon
- CVE-2019-2737Jul 23, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network acc
- CVE-2019-13611Jul 15, 2019affected < 16.1.9~dev7-3.29.3fixed 16.1.9~dev7-3.29.3
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
- CVE-2019-13117Jul 1, 2019affected < 16.1.9~dev49-3.32.4fixed 16.1.9~dev49-3.32.4
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
- CVE-2019-0201May 23, 2019affected < 16.1.9~dev61-3.35.2fixed 16.1.9~dev61-3.35.2
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth
- CVE-2019-11596Apr 29, 2019affected < 16.1.9~dev61-3.35.2fixed 16.1.9~dev61-3.35.2
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
Page 4 of 6