rpm package

suse/python-keystoneauth1&distro=SUSE OpenStack Cloud Crowbar 8

pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208

Vulnerabilities (23)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-10743	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jun 2, 2021	It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2020-13379	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jun 3, 2020	The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2020-13596	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jun 3, 2020	An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
CVE-2020-13254	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jun 3, 2020	An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2020-11077	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	May 22, 2020	In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis
CVE-2020-11076	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	May 22, 2020	In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
CVE-2020-8151	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	May 12, 2020	There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
CVE-2020-10663	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Apr 28, 2020	The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically,
CVE-2020-12052	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Apr 27, 2020	Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2019-16792	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jan 22, 2020	Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
CVE-2020-5390	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jan 13, 2020	PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-19911	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jan 5, 2020	There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
CVE-2020-5312	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jan 3, 2020	libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5313	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Jan 3, 2020	libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2019-16789	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Dec 26, 2019	In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
CVE-2019-16785	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Dec 20, 2019	Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if
CVE-2019-16786	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Dec 20, 2019	Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ
CVE-2019-18874	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Nov 12, 2019	psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-16865	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Oct 4, 2019	An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2019-15043	—	< 3.1.2~dev2-3.3.1	3.1.2~dev2-3.3.1	Sep 3, 2019	In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

CVE-2020-10743Jun 2, 2021
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
CVE-2020-13379Jun 3, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
CVE-2020-13596Jun 3, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
CVE-2020-13254Jun 3, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2020-11077May 22, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis
CVE-2020-11076May 22, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
CVE-2020-8151May 12, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
CVE-2020-10663Apr 28, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically,
CVE-2020-12052Apr 27, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2019-16792Jan 22, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
CVE-2020-5390Jan 13, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-19911Jan 5, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
CVE-2020-5312Jan 3, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5313Jan 3, 2020
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2019-16789Dec 26, 2019
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
CVE-2019-16785Dec 20, 2019
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if
CVE-2019-16786Dec 20, 2019
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ
CVE-2019-18874Nov 12, 2019
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-16865Oct 4, 2019
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2019-15043Sep 3, 2019
affected < 3.1.2~dev2-3.3.1fixed 3.1.2~dev2-3.3.1
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

Page 1 of 2