rpm package
suse/release-notes-susemanager-proxy&distro=SUSE Manager Retail Branch Server 4.2
pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.2
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-43754 | — | < 4.2.10-150300.3.46.1 | 4.2.10-150300.3.46.1 | Nov 10, 2022 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at | ||
| CVE-2022-43753 | — | < 4.2.10-150300.3.46.1 | 4.2.10-150300.3.46.1 | Nov 10, 2022 | A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers | ||
| CVE-2022-31255 | — | < 4.2.10-150300.3.46.1 | 4.2.10-150300.3.46.1 | Nov 10, 2022 | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker | ||
| CVE-2022-31129 | — | < 4.2.9-150300.3.43.1 | 4.2.9-150300.3.43.1 | Jul 6, 2022 | moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried | ||
| CVE-2022-31248 | — | < 4.2.7-150300.3.31.2 | 4.2.7-150300.3.31.2 | Jun 22, 2022 | A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4. | ||
| CVE-2022-21952 | — | < 4.2.7-150300.3.31.2 | 4.2.7-150300.3.31.2 | Jun 22, 2022 | A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version | ||
| CVE-2021-41411 | — | < 4.2.9-150300.3.43.1 | 4.2.9-150300.3.43.1 | Jun 16, 2022 | drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability. | ||
| CVE-2021-43138 | — | < 4.2.9-150300.3.43.1 | 4.2.9-150300.3.43.1 | Apr 6, 2022 | In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. | ||
| CVE-2021-44906 | — | < 4.2.7-150300.3.31.2 | 4.2.7-150300.3.31.2 | Mar 17, 2022 | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||
| CVE-2021-40348 | — | < 4.2.3-3.15.1 | 4.2.3-3.15.1 | Nov 1, 2021 | Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to | ||
| CVE-2021-42740 | — | < 4.2.9-150300.3.43.1 | 4.2.9-150300.3.43.1 | Oct 21, 2021 | The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi | ||
| CVE-2021-40325 | — | < 4.2.2-3.12.1 | 4.2.2-3.12.1 | Oct 4, 2021 | Cobbler before 3.3.0 allows authorization bypass for modification of settings. | ||
| CVE-2021-40324 | — | < 4.2.2-3.12.1 | 4.2.2-3.12.1 | Oct 4, 2021 | Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | ||
| CVE-2021-40323 | — | < 4.2.2-3.12.1 | 4.2.2-3.12.1 | Oct 4, 2021 | Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | ||
| CVE-2021-21996 | — | < 4.2.3-3.15.1 | 4.2.3-3.15.1 | Sep 8, 2021 | An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. |
- CVE-2022-43754Nov 10, 2022affected < 4.2.10-150300.3.46.1fixed 4.2.10-150300.3.46.1
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote at
- CVE-2022-43753Nov 10, 2022affected < 4.2.10-150300.3.46.1fixed 4.2.10-150300.3.46.1
A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers
- CVE-2022-31255Nov 10, 2022affected < 4.2.10-150300.3.46.1fixed 4.2.10-150300.3.46.1
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attacker
- CVE-2022-31129Jul 6, 2022affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried
- CVE-2022-31248Jun 22, 2022affected < 4.2.7-150300.3.31.2fixed 4.2.7-150300.3.31.2
A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.
- CVE-2022-21952Jun 22, 2022affected < 4.2.7-150300.3.31.2fixed 4.2.7-150300.3.31.2
A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version
- CVE-2021-41411Jun 16, 2022affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
- CVE-2021-43138Apr 6, 2022affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
- CVE-2021-44906Mar 17, 2022affected < 4.2.7-150300.3.31.2fixed 4.2.7-150300.3.31.2
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- CVE-2021-40348Nov 1, 2021affected < 4.2.3-3.15.1fixed 4.2.3-3.15.1
Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to
- CVE-2021-42740Oct 21, 2021affected < 4.2.9-150300.3.43.1fixed 4.2.9-150300.3.43.1
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi
- CVE-2021-40325Oct 4, 2021affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows authorization bypass for modification of settings.
- CVE-2021-40324Oct 4, 2021affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
- CVE-2021-40323Oct 4, 2021affected < 4.2.2-3.12.1fixed 4.2.2-3.12.1
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
- CVE-2021-21996Sep 8, 2021affected < 4.2.3-3.15.1fixed 4.2.3-3.15.1
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.