rpm package
suse/storm&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-23307 | — | < 1.2.3-3.8.1 | 1.2.3-3.8.1 | Jan 18, 2022 | CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||
| CVE-2022-23305 | — | < 1.2.3-3.8.1 | 1.2.3-3.8.1 | Jan 18, 2022 | By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering | ||
| CVE-2022-23302 | — | < 1.2.3-3.8.1 | 1.2.3-3.8.1 | Jan 18, 2022 | JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi | ||
| CVE-2021-4104 | — | < 1.2.3-3.5.1 | 1.2.3-3.5.1 | Dec 14, 2021 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t | ||
| CVE-2021-44228 | — | KEV | < 1.2.3-3.5.1 | 1.2.3-3.5.1 | Dec 10, 2021 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messa | |
| CVE-2020-25032 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. | ||
| CVE-2020-17376 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Aug 26, 2020 | An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar | ||
| CVE-2020-11110 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2018-18625 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18624 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18623 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Jun 2, 2020 | Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-17954 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | ||
| CVE-2018-11779 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Jul 25, 2019 | In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class. | ||
| CVE-2019-0202 | — | < 1.2.3-3.3.4 | 1.2.3-3.3.4 | Jul 25, 2019 | The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo |
- CVE-2022-23307Jan 18, 2022affected < 1.2.3-3.8.1fixed 1.2.3-3.8.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23305Jan 18, 2022affected < 1.2.3-3.8.1fixed 1.2.3-3.8.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
- CVE-2022-23302Jan 18, 2022affected < 1.2.3-3.8.1fixed 1.2.3-3.8.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
- CVE-2021-4104Dec 14, 2021affected < 1.2.3-3.5.1fixed 1.2.3-3.5.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
- affected < 1.2.3-3.5.1fixed 1.2.3-3.5.1
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messa
- CVE-2020-25032Aug 31, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
- CVE-2020-17376Aug 26, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
- CVE-2020-11110Jul 27, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2018-18625Jun 2, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18624Jun 2, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18623Jun 2, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-17954Apr 3, 2020affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- CVE-2018-11779Jul 25, 2019affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.
- CVE-2019-0202Jul 25, 2019affected < 1.2.3-3.3.4fixed 1.2.3-3.3.4
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo