rpm package
suse/venv-openstack-barbican&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (103)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-23931 | — | < 7.0.1~dev24-3.41.2 | 7.0.1~dev24-3.41.2 | Feb 7, 2023 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object | ||
| CVE-2022-47951 | — | < 7.0.1~dev24-3.39.1 | 7.0.1~dev24-3.39.1 | Jan 26, 2023 | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac | ||
| CVE-2022-3100 | — | < 7.0.1~dev24-3.37.1 | 7.0.1~dev24-3.37.1 | Jan 18, 2023 | A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. | ||
| CVE-2021-22141 | — | < 7.0.1~dev24-3.25.1 | 7.0.1~dev24-3.25.1 | Nov 18, 2022 | An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. | ||
| CVE-2022-23451 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Sep 6, 2022 | An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p | ||
| CVE-2022-23452 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Sep 1, 2022 | An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service. | ||
| CVE-2022-33891 | — | KEV | < 7.0.1~dev24-3.37.1 | 7.0.1~dev24-3.37.1 | Jul 18, 2022 | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can | |
| CVE-2022-29970 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | May 2, 2022 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | ||
| CVE-2022-23833 | — | < 7.0.1~dev24-3.30.1 | 7.0.1~dev24-3.30.1 | Feb 3, 2022 | An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. | ||
| CVE-2022-22818 | — | < 7.0.1~dev24-3.30.1 | 7.0.1~dev24-3.30.1 | Feb 3, 2022 | The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. | ||
| CVE-2022-23307 | — | < 7.0.1~dev24-3.33.1 | 7.0.1~dev24-3.33.1 | Jan 18, 2022 | CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||
| CVE-2022-23305 | — | < 7.0.1~dev24-3.33.1 | 7.0.1~dev24-3.33.1 | Jan 18, 2022 | By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering | ||
| CVE-2022-23302 | — | < 7.0.1~dev24-3.33.1 | 7.0.1~dev24-3.33.1 | Jan 18, 2022 | JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi | ||
| CVE-2022-22817 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Jan 7, 2022 | PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | ||
| CVE-2022-22816 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. | ||
| CVE-2022-22815 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | ||
| CVE-2021-44716 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | ||
| CVE-2021-4104 | — | < 7.0.1~dev24-3.27.1 | 7.0.1~dev24-3.27.1 | Dec 14, 2021 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t | ||
| CVE-2021-43818 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Dec 13, 2021 | lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s | ||
| CVE-2021-43813 | — | < 7.0.1~dev24-3.35.2 | 7.0.1~dev24-3.35.2 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi |
- CVE-2023-23931Feb 7, 2023affected < 7.0.1~dev24-3.41.2fixed 7.0.1~dev24-3.41.2
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
- CVE-2022-47951Jan 26, 2023affected < 7.0.1~dev24-3.39.1fixed 7.0.1~dev24-3.39.1
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
- CVE-2022-3100Jan 18, 2023affected < 7.0.1~dev24-3.37.1fixed 7.0.1~dev24-3.37.1
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
- CVE-2021-22141Nov 18, 2022affected < 7.0.1~dev24-3.25.1fixed 7.0.1~dev24-3.25.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
- CVE-2022-23451Sep 6, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
- CVE-2022-23452Sep 1, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
- affected < 7.0.1~dev24-3.37.1fixed 7.0.1~dev24-3.37.1
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can
- CVE-2022-29970May 2, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
- CVE-2022-23833Feb 3, 2022affected < 7.0.1~dev24-3.30.1fixed 7.0.1~dev24-3.30.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
- CVE-2022-22818Feb 3, 2022affected < 7.0.1~dev24-3.30.1fixed 7.0.1~dev24-3.30.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
- CVE-2022-23307Jan 18, 2022affected < 7.0.1~dev24-3.33.1fixed 7.0.1~dev24-3.33.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23305Jan 18, 2022affected < 7.0.1~dev24-3.33.1fixed 7.0.1~dev24-3.33.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
- CVE-2022-23302Jan 18, 2022affected < 7.0.1~dev24-3.33.1fixed 7.0.1~dev24-3.33.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
- CVE-2022-22817Jan 7, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
- CVE-2022-22816Jan 7, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
- CVE-2022-22815Jan 7, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
- CVE-2021-44716Jan 1, 2022affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
- CVE-2021-4104Dec 14, 2021affected < 7.0.1~dev24-3.27.1fixed 7.0.1~dev24-3.27.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
- CVE-2021-43818Dec 13, 2021affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s
- CVE-2021-43813Dec 10, 2021affected < 7.0.1~dev24-3.35.2fixed 7.0.1~dev24-3.35.2
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
Page 1 of 6