rpm package

suse/release-notes-susemanager&distro=SUSE Manager Server 4.2

pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.2

Vulnerabilities (21)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-22644	—	< 4.2.13-150300.3.81.1	4.2.13-150300.3.81.1	Sep 20, 2023	A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
CVE-2022-46146	—	< 4.2.13-150300.3.81.1	4.2.13-150300.3.81.1	Nov 29, 2022	Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.
CVE-2022-43754	—	< 4.2.10-150300.3.57.1	4.2.10-150300.3.57.1	Nov 10, 2022	An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at
CVE-2022-43753	—	< 4.2.10-150300.3.57.1	4.2.10-150300.3.57.1	Nov 10, 2022	A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers
CVE-2022-31255	—	< 4.2.10-150300.3.57.1	4.2.10-150300.3.57.1	Nov 10, 2022	An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker
CVE-2022-31129	—	< 4.2.9-150300.3.54.1	4.2.9-150300.3.54.1	Jul 6, 2022	moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried
CVE-2022-31248	—	< 4.2.7-150300.3.44.1	4.2.7-150300.3.44.1	Jun 22, 2022	A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.
CVE-2022-21952	—	< 4.2.7-150300.3.44.1	4.2.7-150300.3.44.1	Jun 22, 2022	A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version
CVE-2021-41411	—	< 4.2.9-150300.3.54.1	4.2.9-150300.3.54.1	Jun 16, 2022	drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
CVE-2021-43138	—	< 4.2.9-150300.3.54.1	4.2.9-150300.3.54.1	Apr 6, 2022	In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVE-2022-22941	—	< 4.2.5.1-150300.3.34.1	4.2.5.1-150300.3.34.1	Mar 29, 2022	An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no vali
CVE-2022-22936	—	< 4.2.5.1-150300.3.34.1	4.2.5.1-150300.3.34.1	Mar 29, 2022	An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be r
CVE-2022-22935	—	< 4.2.5.1-150300.3.34.1	4.2.5.1-150300.3.34.1	Mar 29, 2022	An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.
CVE-2022-22934	—	< 4.2.5.1-150300.3.34.1	4.2.5.1-150300.3.34.1	Mar 29, 2022	An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
CVE-2021-44906	—	< 4.2.7-150300.3.44.1	4.2.7-150300.3.44.1	Mar 17, 2022	Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2021-40348	—	< 4.2.3-3.19.1	4.2.3-3.19.1	Nov 1, 2021	Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to
CVE-2021-42740	—	< 4.2.9-150300.3.54.1	4.2.9-150300.3.54.1	Oct 21, 2021	The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi
CVE-2021-40325	—	< 4.2.2-3.12.1	4.2.2-3.12.1	Oct 4, 2021	Cobbler before 3.3.0 allows authorization bypass for modification of settings.
CVE-2021-40324	—	< 4.2.2-3.12.1	4.2.2-3.12.1	Oct 4, 2021	Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
CVE-2021-40323	—	< 4.2.2-3.12.1	4.2.2-3.12.1	Oct 4, 2021	Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

CVE-2023-22644Sep 20, 2023
affected < 4.2.13-150300.3.81.1fixed 4.2.13-150300.3.81.1
A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
CVE-2022-46146Nov 29, 2022
affected < 4.2.13-150300.3.81.1fixed 4.2.13-150300.3.81.1
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.
CVE-2022-43754Nov 10, 2022
affected < 4.2.10-150300.3.57.1fixed 4.2.10-150300.3.57.1
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at
CVE-2022-43753Nov 10, 2022
affected < 4.2.10-150300.3.57.1fixed 4.2.10-150300.3.57.1
A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers
CVE-2022-31255Nov 10, 2022
affected < 4.2.10-150300.3.57.1fixed 4.2.10-150300.3.57.1
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker
CVE-2022-31129Jul 6, 2022
affected < 4.2.9-150300.3.54.1fixed 4.2.9-150300.3.54.1
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried
CVE-2022-31248Jun 22, 2022
affected < 4.2.7-150300.3.44.1fixed 4.2.7-150300.3.44.1
A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.
CVE-2022-21952Jun 22, 2022
affected < 4.2.7-150300.3.44.1fixed 4.2.7-150300.3.44.1
A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version
CVE-2021-41411Jun 16, 2022
affected < 4.2.9-150300.3.54.1fixed 4.2.9-150300.3.54.1
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
CVE-2021-43138Apr 6, 2022
affected < 4.2.9-150300.3.54.1fixed 4.2.9-150300.3.54.1
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVE-2022-22941Mar 29, 2022
affected < 4.2.5.1-150300.3.34.1fixed 4.2.5.1-150300.3.34.1
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no vali
CVE-2022-22936Mar 29, 2022
affected < 4.2.5.1-150300.3.34.1fixed 4.2.5.1-150300.3.34.1
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be r
CVE-2022-22935Mar 29, 2022
affected < 4.2.5.1-150300.3.34.1fixed 4.2.5.1-150300.3.34.1
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.
CVE-2022-22934Mar 29, 2022
affected < 4.2.5.1-150300.3.34.1fixed 4.2.5.1-150300.3.34.1
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
CVE-2021-44906Mar 17, 2022
affected < 4.2.7-150300.3.44.1fixed 4.2.7-150300.3.44.1
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2021-40348Nov 1, 2021
affected < 4.2.3-3.19.1fixed 4.2.3-3.19.1
Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to
CVE-2021-42740Oct 21, 2021
affected < 4.2.9-150300.3.54.1fixed 4.2.9-150300.3.54.1
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi
CVE-2021-40325Oct 4, 2021
affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows authorization bypass for modification of settings.
CVE-2021-40324Oct 4, 2021
affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
CVE-2021-40323Oct 4, 2021
affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

Page 1 of 2