rpm package

suse/release-notes-susemanager-proxy&distro=SUSE Manager Proxy 4.2

pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.2

Vulnerabilities (17)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-22644	—	< 4.2.13-150300.3.64.2	4.2.13-150300.3.64.2	Sep 20, 2023	A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
CVE-2022-46146	—	< 4.2.13-150300.3.64.2	4.2.13-150300.3.64.2	Nov 29, 2022	Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.
CVE-2022-43754	—	< 4.2.10-150300.3.46.1	4.2.10-150300.3.46.1	Nov 10, 2022	An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at
CVE-2022-43753	—	< 4.2.10-150300.3.46.1	4.2.10-150300.3.46.1	Nov 10, 2022	A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers
CVE-2022-31255	—	< 4.2.10-150300.3.46.1	4.2.10-150300.3.46.1	Nov 10, 2022	An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker
CVE-2022-31129	—	< 4.2.9-150300.3.43.1	4.2.9-150300.3.43.1	Jul 6, 2022	moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried
CVE-2022-31248	—	< 4.2.7-150300.3.31.2	4.2.7-150300.3.31.2	Jun 22, 2022	A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.
CVE-2022-21952	—	< 4.2.7-150300.3.31.2	4.2.7-150300.3.31.2	Jun 22, 2022	A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version
CVE-2021-41411	—	< 4.2.9-150300.3.43.1	4.2.9-150300.3.43.1	Jun 16, 2022	drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
CVE-2021-43138	—	< 4.2.9-150300.3.43.1	4.2.9-150300.3.43.1	Apr 6, 2022	In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVE-2021-44906	—	< 4.2.7-150300.3.31.2	4.2.7-150300.3.31.2	Mar 17, 2022	Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2021-40348	—	< 4.2.3-3.15.1	4.2.3-3.15.1	Nov 1, 2021	Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to
CVE-2021-42740	—	< 4.2.9-150300.3.43.1	4.2.9-150300.3.43.1	Oct 21, 2021	The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi
CVE-2021-40325	—	< 4.2.2-3.12.1	4.2.2-3.12.1	Oct 4, 2021	Cobbler before 3.3.0 allows authorization bypass for modification of settings.
CVE-2021-40324	—	< 4.2.2-3.12.1	4.2.2-3.12.1	Oct 4, 2021	Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
CVE-2021-40323	—	< 4.2.2-3.12.1	4.2.2-3.12.1	Oct 4, 2021	Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
CVE-2021-21996	—	< 4.2.3-3.15.1	4.2.3-3.15.1	Sep 8, 2021	An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.

CVE-2023-22644Sep 20, 2023
affected < 4.2.13-150300.3.64.2fixed 4.2.13-150300.3.64.2
A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
CVE-2022-46146Nov 29, 2022
affected < 4.2.13-150300.3.64.2fixed 4.2.13-150300.3.64.2
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.
CVE-2022-43754Nov 10, 2022
affected < 4.2.10-150300.3.46.1fixed 4.2.10-150300.3.46.1
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at
CVE-2022-43753Nov 10, 2022
affected < 4.2.10-150300.3.46.1fixed 4.2.10-150300.3.46.1
A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers
CVE-2022-31255Nov 10, 2022
affected < 4.2.10-150300.3.46.1fixed 4.2.10-150300.3.46.1
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker
CVE-2022-31129Jul 6, 2022
affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried
CVE-2022-31248Jun 22, 2022
affected < 4.2.7-150300.3.31.2fixed 4.2.7-150300.3.31.2
A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.
CVE-2022-21952Jun 22, 2022
affected < 4.2.7-150300.3.31.2fixed 4.2.7-150300.3.31.2
A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version
CVE-2021-41411Jun 16, 2022
affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
CVE-2021-43138Apr 6, 2022
affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVE-2021-44906Mar 17, 2022
affected < 4.2.7-150300.3.31.2fixed 4.2.7-150300.3.31.2
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2021-40348Nov 1, 2021
affected < 4.2.3-3.15.1fixed 4.2.3-3.15.1
Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to
CVE-2021-42740Oct 21, 2021
affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi
CVE-2021-40325Oct 4, 2021
affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows authorization bypass for modification of settings.
CVE-2021-40324Oct 4, 2021
affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
CVE-2021-40323Oct 4, 2021
affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
CVE-2021-21996Sep 8, 2021
affected < 4.2.3-3.15.1fixed 4.2.3-3.15.1
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.