rpm package
suse/venv-openstack-keystone&distro=SUSE OpenStack Cloud 8
pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208
Vulnerabilities (142)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-23931 | — | < 12.0.4~dev11-11.49.1 | 12.0.4~dev11-11.49.1 | Feb 7, 2023 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object | ||
| CVE-2022-47951 | — | < 12.0.4~dev11-11.47.1 | 12.0.4~dev11-11.47.1 | Jan 26, 2023 | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac | ||
| CVE-2021-22141 | — | < 12.0.4~dev11-11.45.1 | 12.0.4~dev11-11.45.1 | Nov 18, 2022 | An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. | ||
| CVE-2022-23833 | — | < 12.0.4~dev11-11.40.1 | 12.0.4~dev11-11.40.1 | Feb 3, 2022 | An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. | ||
| CVE-2022-22818 | — | < 12.0.4~dev11-11.40.1 | 12.0.4~dev11-11.40.1 | Feb 3, 2022 | The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. | ||
| CVE-2022-23307 | — | < 12.0.4~dev11-11.43.1 | 12.0.4~dev11-11.43.1 | Jan 18, 2022 | CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||
| CVE-2022-23305 | — | < 12.0.4~dev11-11.43.1 | 12.0.4~dev11-11.43.1 | Jan 18, 2022 | By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering | ||
| CVE-2022-23302 | — | < 12.0.4~dev11-11.43.1 | 12.0.4~dev11-11.43.1 | Jan 18, 2022 | JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi | ||
| CVE-2021-45452 | — | < 12.0.4~dev11-11.40.1 | 12.0.4~dev11-11.40.1 | Jan 4, 2022 | Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. | ||
| CVE-2021-4104 | — | < 12.0.4~dev11-11.37.1 | 12.0.4~dev11-11.37.1 | Dec 14, 2021 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t | ||
| CVE-2021-38155 | — | < 12.0.4~dev11-11.45.1 | 12.0.4~dev11-11.45.1 | Aug 6, 2021 | OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an | ||
| CVE-2021-33203 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | Jun 8, 2021 | Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te | ||
| CVE-2021-33571 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | Jun 8, 2021 | In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4 | ||
| CVE-2020-10743 | — | < 12.0.4~dev11-11.28.2 | 12.0.4~dev11-11.28.2 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2020-10729 | — | < 12.0.4~dev11-11.30.1 | 12.0.4~dev11-11.30.1 | May 27, 2021 | A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha | ||
| CVE-2021-21419 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | May 7, 2021 | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web | ||
| CVE-2021-31542 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | May 5, 2021 | In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. | ||
| CVE-2021-28658 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | Apr 6, 2021 | In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. | ||
| CVE-2021-27358 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | Mar 18, 2021 | The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. | ||
| CVE-2019-25025 | — | < 12.0.4~dev11-11.35.3 | 12.0.4~dev11-11.35.3 | Mar 5, 2021 | The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci |
- CVE-2023-23931Feb 7, 2023affected < 12.0.4~dev11-11.49.1fixed 12.0.4~dev11-11.49.1
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
- CVE-2022-47951Jan 26, 2023affected < 12.0.4~dev11-11.47.1fixed 12.0.4~dev11-11.47.1
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
- CVE-2021-22141Nov 18, 2022affected < 12.0.4~dev11-11.45.1fixed 12.0.4~dev11-11.45.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
- CVE-2022-23833Feb 3, 2022affected < 12.0.4~dev11-11.40.1fixed 12.0.4~dev11-11.40.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
- CVE-2022-22818Feb 3, 2022affected < 12.0.4~dev11-11.40.1fixed 12.0.4~dev11-11.40.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
- CVE-2022-23307Jan 18, 2022affected < 12.0.4~dev11-11.43.1fixed 12.0.4~dev11-11.43.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23305Jan 18, 2022affected < 12.0.4~dev11-11.43.1fixed 12.0.4~dev11-11.43.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
- CVE-2022-23302Jan 18, 2022affected < 12.0.4~dev11-11.43.1fixed 12.0.4~dev11-11.43.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
- CVE-2021-45452Jan 4, 2022affected < 12.0.4~dev11-11.40.1fixed 12.0.4~dev11-11.40.1
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
- CVE-2021-4104Dec 14, 2021affected < 12.0.4~dev11-11.37.1fixed 12.0.4~dev11-11.37.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
- CVE-2021-38155Aug 6, 2021affected < 12.0.4~dev11-11.45.1fixed 12.0.4~dev11-11.45.1
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, an
- CVE-2021-33203Jun 8, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs te
- CVE-2021-33571Jun 8, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4
- CVE-2020-10743Jun 2, 2021affected < 12.0.4~dev11-11.28.2fixed 12.0.4~dev11-11.28.2
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2020-10729May 27, 2021affected < 12.0.4~dev11-11.30.1fixed 12.0.4~dev11-11.30.1
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha
- CVE-2021-21419May 7, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts web
- CVE-2021-31542May 5, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
- CVE-2021-28658Apr 6, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
- CVE-2021-27358Mar 18, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
- CVE-2019-25025Mar 5, 2021affected < 12.0.4~dev11-11.35.3fixed 12.0.4~dev11-11.35.3
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepanci
Page 1 of 8