rpm package

suse/python-pysaml2&distro=SUSE OpenStack Cloud 7

pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207

Vulnerabilities (41)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2017-1002201		—	< 4.0.2-3.14.1	4.0.2-3.14.1	Oct 15, 2019	In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e
CVE-2019-16865		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Oct 4, 2019	An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2019-15043		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Sep 3, 2019	In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2019-15026		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Aug 30, 2019	memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
CVE-2019-5477		—	< 4.0.2-3.11.3	4.0.2-3.11.3	Aug 16, 2019	A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a
CVE-2019-0201		—	< 4.0.2-3.17.1	4.0.2-3.17.1	May 23, 2019	An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth
CVE-2019-11596		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Apr 29, 2019	In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
CVE-2019-2628		—	< 4.0.2-3.14.1	4.0.2-3.14.1	Apr 23, 2019	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr
CVE-2019-2627		—	< 4.0.2-3.14.1	4.0.2-3.14.1	Apr 23, 2019	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with networ
CVE-2019-2614		—	< 4.0.2-3.14.1	4.0.2-3.14.1	Apr 23, 2019	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network acces
CVE-2019-3828		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Mar 27, 2019	Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
CVE-2019-3498		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Jan 9, 2019	In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use
CVE-2018-1000872		—	< 4.0.2-3.6.3	4.0.2-3.6.3	Dec 20, 2018	OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets.
CVE-2018-19039		—	< 4.0.2-3.11.3	4.0.2-3.11.3	Dec 13, 2018	Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
CVE-2018-15727		—	< 4.0.2-3.11.3	4.0.2-3.11.3	Aug 29, 2018	Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
CVE-2018-1000115		—	< 4.0.2-3.17.1	4.0.2-3.17.1	Mar 5, 2018	Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported
CVE-2017-1000433		—	< 4.0.2-3.3.2	4.0.2-3.3.2	Jan 2, 2018	pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
CVE-2017-1000246	Med	5.3	< 4.0.2-3.17.1	4.0.2-3.17.1	Nov 17, 2017	Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.
CVE-2017-4967	Med	6.1	< 4.0.2-3.17.1	4.0.2-3.17.1	Jun 13, 2017	An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the
CVE-2017-4965	Med	6.1	< 4.0.2-3.17.1	4.0.2-3.17.1	Jun 13, 2017	An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the

CVE-2017-1002201Oct 15, 2019
affected < 4.0.2-3.14.1fixed 4.0.2-3.14.1
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e
CVE-2019-16865Oct 4, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVE-2019-15043Sep 3, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVE-2019-15026Aug 30, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
CVE-2019-5477Aug 16, 2019
affected < 4.0.2-3.11.3fixed 4.0.2-3.11.3
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a
CVE-2019-0201May 23, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth
CVE-2019-11596Apr 29, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
CVE-2019-2628Apr 23, 2019
affected < 4.0.2-3.14.1fixed 4.0.2-3.14.1
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr
CVE-2019-2627Apr 23, 2019
affected < 4.0.2-3.14.1fixed 4.0.2-3.14.1
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with networ
CVE-2019-2614Apr 23, 2019
affected < 4.0.2-3.14.1fixed 4.0.2-3.14.1
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network acces
CVE-2019-3828Mar 27, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
CVE-2019-3498Jan 9, 2019
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a use
CVE-2018-1000872Dec 20, 2018
affected < 4.0.2-3.6.3fixed 4.0.2-3.6.3
OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets.
CVE-2018-19039Dec 13, 2018
affected < 4.0.2-3.11.3fixed 4.0.2-3.11.3
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
CVE-2018-15727Aug 29, 2018
affected < 4.0.2-3.11.3fixed 4.0.2-3.11.3
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
CVE-2018-1000115Mar 5, 2018
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported
CVE-2017-1000433Jan 2, 2018
affected < 4.0.2-3.3.2fixed 4.0.2-3.3.2
pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.
CVE-2017-1000246MedNov 17, 2017
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.
CVE-2017-4967MedJun 13, 2017
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the
CVE-2017-4965MedJun 13, 2017
affected < 4.0.2-3.17.1fixed 4.0.2-3.17.1
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. Several forms in the

Page 2 of 3