rpm package
suse/spacewalk-web&distro=SUSE Manager Server Module 4.1
pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.1
Vulnerabilities (22)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-31248 | — | < 4.1.34-150200.3.47.6 | 4.1.34-150200.3.47.6 | Jun 22, 2022 | A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4. | ||
| CVE-2022-21952 | — | < 4.1.34-150200.3.47.6 | 4.1.34-150200.3.47.6 | Jun 22, 2022 | A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version | ||
| CVE-2022-26520 | — | < 4.1.34-150200.3.47.6 | 4.1.34-150200.3.47.6 | Mar 7, 2022 | In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP | ||
| CVE-2022-21698 | — | < 4.1.34-150200.3.47.6 | 4.1.34-150200.3.47.6 | Feb 15, 2022 | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde | ||
| CVE-2022-21724 | — | < 4.1.34-150200.3.47.6 | 4.1.34-150200.3.47.6 | Feb 2, 2022 | pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin | ||
| CVE-2021-21996 | — | < 4.1.30-3.36.1 | 4.1.30-3.36.1 | Sep 8, 2021 | An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. | ||
| CVE-2021-31607 | — | < 4.1.26-3.24.8 | 4.1.26-3.24.8 | Apr 23, 2021 | In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the s | ||
| CVE-2021-28657 | — | < 4.1.26-3.24.8 | 4.1.26-3.24.8 | Mar 31, 2021 | A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. | ||
| CVE-2020-28477 | — | < 4.1.23-3.18.6 | 4.1.23-3.18.6 | Jan 19, 2021 | This affects all versions of package immer. | ||
| CVE-2020-26258 | — | < 4.1.23-3.18.6 | 4.1.23-3.18.6 | Dec 16, 2020 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are | ||
| CVE-2020-26259 | — | < 4.1.23-3.18.6 | 4.1.23-3.18.6 | Dec 16, 2020 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as lo | ||
| CVE-2020-25638 | — | < 4.1.31-3.39.1 | 4.1.31-3.39.1 | Dec 2, 2020 | A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access u | ||
| CVE-2020-26217 | — | < 4.1.23-3.18.6 | 4.1.23-3.18.6 | Nov 16, 2020 | XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Fram | ||
| CVE-2020-25592 | — | < 4.1.19-3.9.5 | 4.1.19-3.9.5 | Nov 6, 2020 | In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. | ||
| CVE-2020-17490 | — | < 4.1.19-3.9.5 | 4.1.19-3.9.5 | Nov 6, 2020 | The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions. | ||
| CVE-2020-16846 | — | KEV | < 4.1.19-3.9.5 | 4.1.19-3.9.5 | Nov 6, 2020 | An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. | |
| CVE-2020-15168 | — | < 4.1.19-3.9.5 | 4.1.19-3.9.5 | Sep 10, 2020 | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have | ||
| CVE-2019-14900 | — | < 4.1.18-3.6.3 | 4.1.18-3.6.3 | Jul 6, 2020 | A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacke | ||
| CVE-2020-13692 | — | < 4.1.21-3.12.5 | 4.1.21-3.12.5 | Jun 4, 2020 | PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | ||
| CVE-2020-11022 | Med | 6.9 | < 4.1.15-3.3.6 | 4.1.15-3.3.6 | Apr 29, 2020 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
- CVE-2022-31248Jun 22, 2022affected < 4.1.34-150200.3.47.6fixed 4.1.34-150200.3.47.6
A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.
- CVE-2022-21952Jun 22, 2022affected < 4.1.34-150200.3.47.6fixed 4.1.34-150200.3.47.6
A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java version
- CVE-2022-26520Mar 7, 2022affected < 4.1.34-150200.3.47.6fixed 4.1.34-150200.3.47.6
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP
- CVE-2022-21698Feb 15, 2022affected < 4.1.34-150200.3.47.6fixed 4.1.34-150200.3.47.6
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
- CVE-2022-21724Feb 2, 2022affected < 4.1.34-150200.3.47.6fixed 4.1.34-150200.3.47.6
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin
- CVE-2021-21996Sep 8, 2021affected < 4.1.30-3.36.1fixed 4.1.30-3.36.1
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
- CVE-2021-31607Apr 23, 2021affected < 4.1.26-3.24.8fixed 4.1.26-3.24.8
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the s
- CVE-2021-28657Mar 31, 2021affected < 4.1.26-3.24.8fixed 4.1.26-3.24.8
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
- CVE-2020-28477Jan 19, 2021affected < 4.1.23-3.18.6fixed 4.1.23-3.18.6
This affects all versions of package immer.
- CVE-2020-26258Dec 16, 2020affected < 4.1.23-3.18.6fixed 4.1.23-3.18.6
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are
- CVE-2020-26259Dec 16, 2020affected < 4.1.23-3.18.6fixed 4.1.23-3.18.6
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as lo
- CVE-2020-25638Dec 2, 2020affected < 4.1.31-3.39.1fixed 4.1.31-3.39.1
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access u
- CVE-2020-26217Nov 16, 2020affected < 4.1.23-3.18.6fixed 4.1.23-3.18.6
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Fram
- CVE-2020-25592Nov 6, 2020affected < 4.1.19-3.9.5fixed 4.1.19-3.9.5
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
- CVE-2020-17490Nov 6, 2020affected < 4.1.19-3.9.5fixed 4.1.19-3.9.5
The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.
- affected < 4.1.19-3.9.5fixed 4.1.19-3.9.5
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
- CVE-2020-15168Sep 10, 2020affected < 4.1.19-3.9.5fixed 4.1.19-3.9.5
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have
- CVE-2019-14900Jul 6, 2020affected < 4.1.18-3.6.3fixed 4.1.18-3.6.3
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacke
- CVE-2020-13692Jun 4, 2020affected < 4.1.21-3.12.5fixed 4.1.21-3.12.5
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
- affected < 4.1.15-3.3.6fixed 4.1.15-3.3.6
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Page 1 of 2