suse/openstack-nova-doc&distro=SUSE OpenStack Cloud 7

Vulnerabilities (56)

• CVE-2019-2614Apr 23, 2019
  affected < 14.0.11~dev13-4.37.2fixed 14.0.11~dev13-4.37.2

  Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network acces

• CVE-2019-3828Mar 27, 2019
  affected < 14.0.11~dev13-4.40.2fixed 14.0.11~dev13-4.40.2

  Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

• CVE-2019-3498Jan 9, 2019
  affected < 14.0.11~dev13-4.40.2fixed 14.0.11~dev13-4.40.2

  In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use

• CVE-2018-19039Dec 13, 2018
  affected < 14.0.11~dev13-4.34.2fixed 14.0.11~dev13-4.34.2

  Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.

• CVE-2018-15727Aug 29, 2018
  affected < 14.0.11~dev13-4.34.2fixed 14.0.11~dev13-4.34.2

  Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.

• CVE-2018-14432Jul 31, 2018
  affected < 14.0.11~dev13-4.25.1fixed 14.0.11~dev13-4.25.1

  In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access

• CVE-2018-1000115Mar 5, 2018
  affected < 14.0.11~dev13-4.40.2fixed 14.0.11~dev13-4.40.2

  Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported

• CVE-2017-18191Feb 19, 2018
  affected < 14.0.11~dev13-4.22.1fixed 14.0.11~dev13-4.22.1

  An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt the LUKS header, resulting in a denial of service attack on the compute host. (The

• CVE-2017-1000246MedNov 17, 2017
  affected < 14.0.11~dev13-4.40.2fixed 14.0.11~dev13-4.40.2

  Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.

• CVE-2017-16239MedNov 14, 2017
  affected < 14.0.10~dev13-4.11.3fixed 14.0.10~dev13-4.11.3

  In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setup

• CVE-2017-4967MedJun 13, 2017
  affected < 14.0.11~dev13-4.40.2fixed 14.0.11~dev13-4.40.2

  An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the

• CVE-2017-4965MedJun 13, 2017
  affected < 14.0.11~dev13-4.40.2fixed 14.0.11~dev13-4.40.2

  An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the

• CVE-2017-7400MedApr 3, 2017
  affected < 14.0.6~a0~dev16-3.3fixed 14.0.6~a0~dev16-3.3

  OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.

• CVE-2017-7214CriMar 21, 2017
  affected < 14.0.6~a0~dev16-3.3fixed 14.0.6~a0~dev16-3.3

  An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization

• CVE-2016-10127CriMar 3, 2017
  affected < 14.0.11~dev13-4.34.2fixed 14.0.11~dev13-4.34.2

  PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.

• CVE-2016-0775MedApr 13, 2016
  affected < 14.0.11~dev13-4.45.2fixed 14.0.11~dev13-4.45.2

  Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.