rpm package
suse/python-pytest&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/python-pytest&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-20933 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Nov 19, 2020 | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). | ||
| CVE-2020-24303 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | ||
| CVE-2020-26137 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-5390 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | ||
| CVE-2016-10745 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Apr 8, 2019 | In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. | ||
| CVE-2019-10906 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Apr 6, 2019 | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | ||
| CVE-2019-8341 | — | < 3.7.4-3.3.3 | 3.7.4-3.3.3 | Feb 15, 2019 | An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: |
- CVE-2019-20933Nov 19, 2020affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
- CVE-2020-24303Oct 28, 2020affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- CVE-2020-26137Sep 29, 2020affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-5390Jan 13, 2020affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- CVE-2016-10745Apr 8, 2019affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
- CVE-2019-10906Apr 6, 2019affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
- CVE-2019-8341Feb 15, 2019affected < 3.7.4-3.3.3fixed 3.7.4-3.3.3
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: