rpm package
suse/python-pysaml2&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-12052 | — | < 4.5.0-4.6.2 | 4.5.0-4.6.2 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||
| CVE-2020-5390 | — | < 4.5.0-4.3.3 | 4.5.0-4.3.3 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | ||
| CVE-2019-15043 | — | < 4.5.0-4.6.2 | 4.5.0-4.6.2 | Sep 3, 2019 | In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | ||
| CVE-2016-10745 | — | < 4.5.0-4.3.3 | 4.5.0-4.3.3 | Apr 8, 2019 | In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. | ||
| CVE-2019-10906 | — | < 4.5.0-4.3.3 | 4.5.0-4.3.3 | Apr 6, 2019 | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | ||
| CVE-2019-8341 | — | < 4.5.0-4.3.3 | 4.5.0-4.3.3 | Feb 15, 2019 | An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: | ||
| CVE-2018-19039 | — | < 4.5.0-4.6.2 | 4.5.0-4.6.2 | Dec 13, 2018 | Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. | ||
| CVE-2017-11481 | Med | 6.1 | < 4.5.0-4.6.2 | 4.5.0-4.6.2 | Dec 8, 2017 | Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |
| CVE-2017-11499 | Hig | 7.5 | < 4.5.0-4.6.2 | 4.5.0-4.6.2 | Jul 25, 2017 | Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building |
- CVE-2020-12052Apr 27, 2020affected < 4.5.0-4.6.2fixed 4.5.0-4.6.2
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- CVE-2020-5390Jan 13, 2020affected < 4.5.0-4.3.3fixed 4.5.0-4.3.3
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- CVE-2019-15043Sep 3, 2019affected < 4.5.0-4.6.2fixed 4.5.0-4.6.2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- CVE-2016-10745Apr 8, 2019affected < 4.5.0-4.3.3fixed 4.5.0-4.3.3
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
- CVE-2019-10906Apr 6, 2019affected < 4.5.0-4.3.3fixed 4.5.0-4.3.3
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
- CVE-2019-8341Feb 15, 2019affected < 4.5.0-4.3.3fixed 4.5.0-4.3.3
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE:
- CVE-2018-19039Dec 13, 2018affected < 4.5.0-4.6.2fixed 4.5.0-4.6.2
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
- affected < 4.5.0-4.6.2fixed 4.5.0-4.6.2
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
- affected < 4.5.0-4.6.2fixed 4.5.0-4.6.2
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
Page 2 of 2