rpm package
suse/venv-openstack-horizon&distro=SUSE OpenStack Cloud 8
pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208
Vulnerabilities (144)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-10743 | — | < 12.0.5~dev6-14.34.3 | 12.0.5~dev6-14.34.3 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2020-10729 | — | < 12.0.5~dev3-14.32.1 | 12.0.5~dev3-14.32.1 | May 27, 2021 | A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha | ||
| CVE-2021-21419 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | May 7, 2021 | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web | ||
| CVE-2021-31542 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | May 5, 2021 | In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. | ||
| CVE-2021-28658 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Apr 6, 2021 | In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. | ||
| CVE-2021-27358 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Mar 18, 2021 | The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. | ||
| CVE-2019-25025 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Mar 5, 2021 | The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci | ||
| CVE-2021-23336 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Feb 15, 2021 | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When | ||
| CVE-2020-17516 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Feb 3, 2021 | Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted | ||
| CVE-2021-3281 | — | < 12.0.5~dev6-14.34.3 | 12.0.5~dev6-14.34.3 | Feb 2, 2021 | In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | ||
| CVE-2021-21238 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Jan 21, 2021 | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig | ||
| CVE-2021-21239 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Jan 21, 2021 | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted | ||
| CVE-2020-26298 | — | < 12.0.5~dev6-14.38.2 | 12.0.5~dev6-14.38.2 | Jan 11, 2021 | Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the | ||
| CVE-2020-26247 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Dec 30, 2020 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be acces | ||
| CVE-2020-29651 | — | < 12.0.5~dev6-14.36.6 | 12.0.5~dev6-14.36.6 | Dec 9, 2020 | A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. | ||
| CVE-2020-26137 | — | < 12.0.5~dev3-14.32.1 | 12.0.5~dev3-14.32.1 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-14365 | — | < 12.0.5~dev3-14.32.1 | 12.0.5~dev3-14.32.1 | Sep 23, 2020 | A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be | ||
| CVE-2020-14332 | — | < 12.0.5~dev3-14.32.1 | 12.0.5~dev3-14.32.1 | Sep 11, 2020 | A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t | ||
| CVE-2020-14330 | — | < 12.0.5~dev3-14.32.1 | 12.0.5~dev3-14.32.1 | Sep 11, 2020 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user | ||
| CVE-2020-25032 | — | < 12.0.5~dev3-14.32.1 | 12.0.5~dev3-14.32.1 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. |
- CVE-2020-10743Jun 2, 2021affected < 12.0.5~dev6-14.34.3fixed 12.0.5~dev6-14.34.3
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2020-10729May 27, 2021affected < 12.0.5~dev3-14.32.1fixed 12.0.5~dev3-14.32.1
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha
- CVE-2021-21419May 7, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
- CVE-2021-31542May 5, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
- CVE-2021-28658Apr 6, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
- CVE-2021-27358Mar 18, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
- CVE-2019-25025Mar 5, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci
- CVE-2021-23336Feb 15, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When
- CVE-2020-17516Feb 3, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
- CVE-2021-3281Feb 2, 2021affected < 12.0.5~dev6-14.34.3fixed 12.0.5~dev6-14.34.3
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
- CVE-2021-21238Jan 21, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
- CVE-2021-21239Jan 21, 2021affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
- CVE-2020-26298Jan 11, 2021affected < 12.0.5~dev6-14.38.2fixed 12.0.5~dev6-14.38.2
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
- CVE-2020-26247Dec 30, 2020affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be acces
- CVE-2020-29651Dec 9, 2020affected < 12.0.5~dev6-14.36.6fixed 12.0.5~dev6-14.36.6
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
- CVE-2020-26137Sep 29, 2020affected < 12.0.5~dev3-14.32.1fixed 12.0.5~dev3-14.32.1
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-14365Sep 23, 2020affected < 12.0.5~dev3-14.32.1fixed 12.0.5~dev3-14.32.1
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be
- CVE-2020-14332Sep 11, 2020affected < 12.0.5~dev3-14.32.1fixed 12.0.5~dev3-14.32.1
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t
- CVE-2020-14330Sep 11, 2020affected < 12.0.5~dev3-14.32.1fixed 12.0.5~dev3-14.32.1
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user
- CVE-2020-25032Aug 31, 2020affected < 12.0.5~dev3-14.32.1fixed 12.0.5~dev3-14.32.1
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
Page 2 of 8