rpm package

suse/venv-openstack-ironic&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (102)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-23931	—	< 11.1.5~dev18-4.37.2	11.1.5~dev18-4.37.2	Feb 7, 2023	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
CVE-2022-47951	—	< 11.1.5~dev18-4.35.1	11.1.5~dev18-4.35.1	Jan 26, 2023	An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
CVE-2021-22141	—	< 11.1.5~dev17-4.23.1	11.1.5~dev17-4.23.1	Nov 18, 2022	An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2022-23451	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Sep 6, 2022	An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Sep 1, 2022	An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-29970	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	May 2, 2022	Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-23833	—	< 11.1.5~dev17-4.28.1	11.1.5~dev17-4.28.1	Feb 3, 2022	An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818	—	< 11.1.5~dev17-4.28.1	11.1.5~dev17-4.28.1	Feb 3, 2022	The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-23307	—	< 11.1.5~dev17-4.31.1	11.1.5~dev17-4.31.1	Jan 18, 2022	CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305	—	< 11.1.5~dev17-4.31.1	11.1.5~dev17-4.31.1	Jan 18, 2022	By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302	—	< 11.1.5~dev17-4.31.1	11.1.5~dev17-4.31.1	Jan 18, 2022	JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2022-22817	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Jan 7, 2022	PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2021-44716	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Jan 1, 2022	net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-4104	—	< 11.1.5~dev17-4.25.1	11.1.5~dev17-4.25.1	Dec 14, 2021	JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
CVE-2021-43818	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Dec 13, 2021	lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s
CVE-2021-43813	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Dec 10, 2021	Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
CVE-2021-41184	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Oct 26, 2021	jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option
CVE-2021-41183	—	< 11.1.5~dev18-4.33.1	11.1.5~dev18-4.33.1	Oct 26, 2021	jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `Text

CVE-2023-23931Feb 7, 2023
affected < 11.1.5~dev18-4.37.2fixed 11.1.5~dev18-4.37.2
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
CVE-2022-47951Jan 26, 2023
affected < 11.1.5~dev18-4.35.1fixed 11.1.5~dev18-4.35.1
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
CVE-2021-22141Nov 18, 2022
affected < 11.1.5~dev17-4.23.1fixed 11.1.5~dev17-4.23.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2022-23451Sep 6, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452Sep 1, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-29970May 2, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-23833Feb 3, 2022
affected < 11.1.5~dev17-4.28.1fixed 11.1.5~dev17-4.28.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818Feb 3, 2022
affected < 11.1.5~dev17-4.28.1fixed 11.1.5~dev17-4.28.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-23307Jan 18, 2022
affected < 11.1.5~dev17-4.31.1fixed 11.1.5~dev17-4.31.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305Jan 18, 2022
affected < 11.1.5~dev17-4.31.1fixed 11.1.5~dev17-4.31.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302Jan 18, 2022
affected < 11.1.5~dev17-4.31.1fixed 11.1.5~dev17-4.31.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2022-22817Jan 7, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816Jan 7, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815Jan 7, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2021-44716Jan 1, 2022
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-4104Dec 14, 2021
affected < 11.1.5~dev17-4.25.1fixed 11.1.5~dev17-4.25.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
CVE-2021-43818Dec 13, 2021
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s
CVE-2021-43813Dec 10, 2021
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
CVE-2021-41184Oct 26, 2021
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option
CVE-2021-41183Oct 26, 2021
affected < 11.1.5~dev18-4.33.1fixed 11.1.5~dev18-4.33.1
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text

Page 1 of 6