rpm package

suse/venv-openstack-heat&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (110)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-1625	—	< 11.0.4~dev4-3.43.2	11.0.4~dev4-3.43.2	Sep 24, 2023	An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the
CVE-2023-25577	—	< 11.0.4~dev4-3.43.2	11.0.4~dev4-3.43.2	Feb 14, 2023	Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory
CVE-2023-23931	—	< 11.0.4~dev4-3.41.2	11.0.4~dev4-3.41.2	Feb 7, 2023	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
CVE-2022-47951	—	< 11.0.4~dev4-3.39.1	11.0.4~dev4-3.39.1	Jan 26, 2023	An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
CVE-2022-47950	—	< 11.0.4~dev4-3.43.2	11.0.4~dev4-3.43.2	Jan 18, 2023	An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentiall
CVE-2021-22141	—	< 11.0.4~dev4-3.25.1	11.0.4~dev4-3.25.1	Nov 18, 2022	An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2022-23451	—	< 11.0.4~dev4-3.35.1	11.0.4~dev4-3.35.1	Sep 6, 2022	An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452	—	< 11.0.4~dev4-3.35.1	11.0.4~dev4-3.35.1	Sep 1, 2022	An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-34265	—	< 11.0.4~dev4-3.37.1	11.0.4~dev4-3.37.1	Jul 4, 2022	An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l
CVE-2022-29970	—	< 11.0.4~dev4-3.35.1	11.0.4~dev4-3.35.1	May 2, 2022	Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-28346	—	< 11.0.4~dev4-3.37.1	11.0.4~dev4-3.37.1	Apr 12, 2022	An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-24790	—	< 11.0.4~dev4-3.37.1	11.0.4~dev4-3.37.1	Mar 30, 2022	Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
CVE-2022-23833	—	< 11.0.4~dev4-3.30.1	11.0.4~dev4-3.30.1	Feb 3, 2022	An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818	—	< 11.0.4~dev4-3.30.1	11.0.4~dev4-3.30.1	Feb 3, 2022	The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-23307	—	< 11.0.4~dev4-3.33.1	11.0.4~dev4-3.33.1	Jan 18, 2022	CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305	—	< 11.0.4~dev4-3.33.1	11.0.4~dev4-3.33.1	Jan 18, 2022	By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302	—	< 11.0.4~dev4-3.33.1	11.0.4~dev4-3.33.1	Jan 18, 2022	JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2022-22817	—	< 11.0.4~dev4-3.35.1	11.0.4~dev4-3.35.1	Jan 7, 2022	PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816	—	< 11.0.4~dev4-3.35.1	11.0.4~dev4-3.35.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815	—	< 11.0.4~dev4-3.35.1	11.0.4~dev4-3.35.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

CVE-2023-1625Sep 24, 2023
affected < 11.0.4~dev4-3.43.2fixed 11.0.4~dev4-3.43.2
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the
CVE-2023-25577Feb 14, 2023
affected < 11.0.4~dev4-3.43.2fixed 11.0.4~dev4-3.43.2
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory
CVE-2023-23931Feb 7, 2023
affected < 11.0.4~dev4-3.41.2fixed 11.0.4~dev4-3.41.2
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
CVE-2022-47951Jan 26, 2023
affected < 11.0.4~dev4-3.39.1fixed 11.0.4~dev4-3.39.1
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
CVE-2022-47950Jan 18, 2023
affected < 11.0.4~dev4-3.43.2fixed 11.0.4~dev4-3.43.2
An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentiall
CVE-2021-22141Nov 18, 2022
affected < 11.0.4~dev4-3.25.1fixed 11.0.4~dev4-3.25.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2022-23451Sep 6, 2022
affected < 11.0.4~dev4-3.35.1fixed 11.0.4~dev4-3.35.1
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452Sep 1, 2022
affected < 11.0.4~dev4-3.35.1fixed 11.0.4~dev4-3.35.1
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-34265Jul 4, 2022
affected < 11.0.4~dev4-3.37.1fixed 11.0.4~dev4-3.37.1
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l
CVE-2022-29970May 2, 2022
affected < 11.0.4~dev4-3.35.1fixed 11.0.4~dev4-3.35.1
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-28346Apr 12, 2022
affected < 11.0.4~dev4-3.37.1fixed 11.0.4~dev4-3.37.1
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-24790Mar 30, 2022
affected < 11.0.4~dev4-3.37.1fixed 11.0.4~dev4-3.37.1
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
CVE-2022-23833Feb 3, 2022
affected < 11.0.4~dev4-3.30.1fixed 11.0.4~dev4-3.30.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818Feb 3, 2022
affected < 11.0.4~dev4-3.30.1fixed 11.0.4~dev4-3.30.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-23307Jan 18, 2022
affected < 11.0.4~dev4-3.33.1fixed 11.0.4~dev4-3.33.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305Jan 18, 2022
affected < 11.0.4~dev4-3.33.1fixed 11.0.4~dev4-3.33.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302Jan 18, 2022
affected < 11.0.4~dev4-3.33.1fixed 11.0.4~dev4-3.33.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2022-22817Jan 7, 2022
affected < 11.0.4~dev4-3.35.1fixed 11.0.4~dev4-3.35.1
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816Jan 7, 2022
affected < 11.0.4~dev4-3.35.1fixed 11.0.4~dev4-3.35.1
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815Jan 7, 2022
affected < 11.0.4~dev4-3.35.1fixed 11.0.4~dev4-3.35.1
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Page 1 of 6