rpm package
suse/python-waitress&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-24761 | — | < 1.4.3-3.6.1 | 1.4.3-3.6.1 | Mar 17, 2022 | Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one requ | ||
| CVE-2020-10743 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2020-10177 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | ||
| CVE-2020-11538 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 25, 2020 | In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. | ||
| CVE-2020-10994 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | ||
| CVE-2020-10378 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | ||
| CVE-2020-8184 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 19, 2020 | A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. | ||
| CVE-2020-10755 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 10, 2020 | An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th | ||
| CVE-2020-13379 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||
| CVE-2020-13254 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | ||
| CVE-2020-12052 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||
| CVE-2020-9402 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Mar 5, 2020 | Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl | ||
| CVE-2020-7471 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Feb 3, 2020 | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl | ||
| CVE-2019-16792 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jan 22, 2020 | Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. | ||
| CVE-2019-19911 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jan 5, 2020 | There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho | ||
| CVE-2020-5311 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jan 3, 2020 | libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. | ||
| CVE-2020-5312 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jan 3, 2020 | libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. | ||
| CVE-2020-5313 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Jan 3, 2020 | libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. | ||
| CVE-2019-16789 | — | < 1.4.3-3.3.1 | 1.4.3-3.3.1 | Dec 26, 2019 | In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain |
- CVE-2022-24761Mar 17, 2022affected < 1.4.3-3.6.1fixed 1.4.3-3.6.1
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one requ
- CVE-2020-10743Jun 2, 2021affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2020-10177Jun 25, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- CVE-2020-11538Jun 25, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
- CVE-2020-10994Jun 25, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- CVE-2020-10378Jun 25, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- CVE-2020-8184Jun 19, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
- CVE-2020-10755Jun 10, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with th
- CVE-2020-13379Jun 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- CVE-2020-13254Jun 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- CVE-2020-12052Apr 27, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- CVE-2020-9402Mar 5, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possibl
- CVE-2020-7471Feb 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitabl
- CVE-2019-16792Jan 22, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
- CVE-2019-19911Jan 5, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
- CVE-2020-5311Jan 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.
- CVE-2020-5312Jan 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
- CVE-2020-5313Jan 3, 2020affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
- CVE-2019-16789Dec 26, 2019affected < 1.4.3-3.3.1fixed 1.4.3-3.3.1
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
Page 1 of 2