rpm package
suse/spacewalk-certs-tools&distro=SUSE Manager Server Module 4.1
pkg:rpm/suse/spacewalk-certs-tools&distro=SUSE%20Manager%20Server%20Module%204.1
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21996 | — | < 4.1.19-3.22.2 | 4.1.19-3.22.2 | Sep 8, 2021 | An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. | ||
| CVE-2021-31607 | — | < 4.1.17-3.17.2 | 4.1.17-3.17.2 | Apr 23, 2021 | In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the s | ||
| CVE-2021-28657 | — | < 4.1.17-3.17.2 | 4.1.17-3.17.2 | Mar 31, 2021 | A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. | ||
| CVE-2020-25638 | — | < 4.1.20-3.25.2 | 4.1.20-3.25.2 | Dec 2, 2020 | A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access u | ||
| CVE-2019-14900 | — | < 4.1.13-3.6.3 | 4.1.13-3.6.3 | Jul 6, 2020 | A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacke | ||
| CVE-2020-13692 | — | < 4.1.14-3.9.5 | 4.1.14-3.9.5 | Jun 4, 2020 | PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | ||
| CVE-2020-11022 | Med | 6.9 | < 4.1.12-3.3.6 | 4.1.12-3.3.6 | Apr 29, 2020 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
- CVE-2021-21996Sep 8, 2021affected < 4.1.19-3.22.2fixed 4.1.19-3.22.2
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
- CVE-2021-31607Apr 23, 2021affected < 4.1.17-3.17.2fixed 4.1.17-3.17.2
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the s
- CVE-2021-28657Mar 31, 2021affected < 4.1.17-3.17.2fixed 4.1.17-3.17.2
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
- CVE-2020-25638Dec 2, 2020affected < 4.1.20-3.25.2fixed 4.1.20-3.25.2
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access u
- CVE-2019-14900Jul 6, 2020affected < 4.1.13-3.6.3fixed 4.1.13-3.6.3
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacke
- CVE-2020-13692Jun 4, 2020affected < 4.1.14-3.9.5fixed 4.1.14-3.9.5
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
- affected < 4.1.12-3.3.6fixed 4.1.12-3.3.6
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.