rpm package
suse/spark&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-3100 | — | < 2.2.3-5.12.1 | 2.2.3-5.12.1 | Jan 18, 2023 | A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. | ||
| CVE-2022-33891 | — | KEV | < 2.2.3-5.12.1 | 2.2.3-5.12.1 | Jul 18, 2022 | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can | |
| CVE-2022-23307 | — | < 2.2.3-5.9.2 | 2.2.3-5.9.2 | Jan 18, 2022 | CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||
| CVE-2022-23305 | — | < 2.2.3-5.9.2 | 2.2.3-5.9.2 | Jan 18, 2022 | By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering | ||
| CVE-2022-23302 | — | < 2.2.3-5.9.2 | 2.2.3-5.9.2 | Jan 18, 2022 | JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi | ||
| CVE-2021-4104 | — | < 2.2.3-5.6.1 | 2.2.3-5.6.1 | Dec 14, 2021 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t | ||
| CVE-2019-20933 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Nov 19, 2020 | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). | ||
| CVE-2020-24303 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Oct 28, 2020 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. | ||
| CVE-2020-26137 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-5390 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus | ||
| CVE-2016-10745 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Apr 8, 2019 | In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. | ||
| CVE-2019-10906 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Apr 6, 2019 | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | ||
| CVE-2019-8341 | — | < 2.2.3-5.3.3 | 2.2.3-5.3.3 | Feb 15, 2019 | An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: |
- CVE-2022-3100Jan 18, 2023affected < 2.2.3-5.12.1fixed 2.2.3-5.12.1
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
- affected < 2.2.3-5.12.1fixed 2.2.3-5.12.1
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can
- CVE-2022-23307Jan 18, 2022affected < 2.2.3-5.9.2fixed 2.2.3-5.9.2
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23305Jan 18, 2022affected < 2.2.3-5.9.2fixed 2.2.3-5.9.2
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
- CVE-2022-23302Jan 18, 2022affected < 2.2.3-5.9.2fixed 2.2.3-5.9.2
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
- CVE-2021-4104Dec 14, 2021affected < 2.2.3-5.6.1fixed 2.2.3-5.6.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
- CVE-2019-20933Nov 19, 2020affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
- CVE-2020-24303Oct 28, 2020affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
- CVE-2020-26137Sep 29, 2020affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-5390Jan 13, 2020affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
- CVE-2016-10745Apr 8, 2019affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
- CVE-2019-10906Apr 6, 2019affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
- CVE-2019-8341Feb 15, 2019affected < 2.2.3-5.3.3fixed 2.2.3-5.3.3
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: