rpm package
suse/venv-openstack-murano&distro=HPE Helion OpenStack 8
pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208
Vulnerabilities (147)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-11779 | — | < 4.0.2~dev2-12.24.1 | 4.0.2~dev2-12.24.1 | Jul 25, 2019 | In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class. | ||
| CVE-2019-0202 | — | < 4.0.2~dev2-12.24.1 | 4.0.2~dev2-12.24.1 | Jul 25, 2019 | The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo | ||
| CVE-2019-2805 | — | < 4.0.2~dev2-12.18.2 | 4.0.2~dev2-12.18.2 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mu | ||
| CVE-2019-2758 | — | < 4.0.2~dev2-12.18.2 | 4.0.2~dev2-12.18.2 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr | ||
| CVE-2019-2740 | — | < 4.0.2~dev2-12.18.2 | 4.0.2~dev2-12.18.2 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multi | ||
| CVE-2019-2739 | — | < 4.0.2~dev2-12.18.2 | 4.0.2~dev2-12.18.2 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon | ||
| CVE-2019-2737 | — | < 4.0.2~dev2-12.18.2 | 4.0.2~dev2-12.18.2 | Jul 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network acc | ||
| CVE-2019-1010083 | — | < 4.0.2~dev2-12.22.1 | 4.0.2~dev2-12.22.1 | Jul 17, 2019 | The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656. | ||
| CVE-2019-13611 | — | < 4.0.2~dev2-12.16.2 | 4.0.2~dev2-12.16.2 | Jul 15, 2019 | An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. | ||
| CVE-2019-13117 | — | < 4.0.2~dev2-12.18.2 | 4.0.2~dev2-12.18.2 | Jul 1, 2019 | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. | ||
| CVE-2019-0201 | — | < 4.0.2~dev2-12.20.1 | 4.0.2~dev2-12.20.1 | May 23, 2019 | An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth | ||
| CVE-2019-11596 | — | < 4.0.2~dev2-12.20.1 | 4.0.2~dev2-12.20.1 | Apr 29, 2019 | In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c. | ||
| CVE-2019-2628 | — | < 4.0.2~dev2-12.16.2 | 4.0.2~dev2-12.16.2 | Apr 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr | ||
| CVE-2019-2627 | — | < 4.0.2~dev2-12.16.2 | 4.0.2~dev2-12.16.2 | Apr 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with networ | ||
| CVE-2019-2614 | — | < 4.0.2~dev2-12.16.2 | 4.0.2~dev2-12.16.2 | Apr 23, 2019 | Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network acces | ||
| CVE-2019-11068 | — | < 4.0.1-12.11.1 | 4.0.1-12.11.1 | Apr 10, 2019 | libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. | ||
| CVE-2019-10876 | — | < 4.0.1-12.11.1 | 4.0.1-12.11.1 | Apr 5, 2019 | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes | ||
| CVE-2019-3828 | — | < 4.0.2~dev2-12.22.1 | 4.0.2~dev2-12.22.1 | Mar 27, 2019 | Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. | ||
| CVE-2019-3871 | — | < 4.0.2~dev2-12.20.1 | 4.0.2~dev2-12.20.1 | Mar 21, 2019 | A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of | ||
| CVE-2019-9735 | — | < 4.0.2~dev2-12.14.1 | 4.0.2~dev2-12.14.1 | Mar 13, 2019 | An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, |
- CVE-2018-11779Jul 25, 2019affected < 4.0.2~dev2-12.24.1fixed 4.0.2~dev2-12.24.1
In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.
- CVE-2019-0202Jul 25, 2019affected < 4.0.2~dev2-12.24.1fixed 4.0.2~dev2-12.24.1
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpo
- CVE-2019-2805Jul 23, 2019affected < 4.0.2~dev2-12.18.2fixed 4.0.2~dev2-12.18.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mu
- CVE-2019-2758Jul 23, 2019affected < 4.0.2~dev2-12.18.2fixed 4.0.2~dev2-12.18.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr
- CVE-2019-2740Jul 23, 2019affected < 4.0.2~dev2-12.18.2fixed 4.0.2~dev2-12.18.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multi
- CVE-2019-2739Jul 23, 2019affected < 4.0.2~dev2-12.18.2fixed 4.0.2~dev2-12.18.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon
- CVE-2019-2737Jul 23, 2019affected < 4.0.2~dev2-12.18.2fixed 4.0.2~dev2-12.18.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network acc
- CVE-2019-1010083Jul 17, 2019affected < 4.0.2~dev2-12.22.1fixed 4.0.2~dev2-12.22.1
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
- CVE-2019-13611Jul 15, 2019affected < 4.0.2~dev2-12.16.2fixed 4.0.2~dev2-12.16.2
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
- CVE-2019-13117Jul 1, 2019affected < 4.0.2~dev2-12.18.2fixed 4.0.2~dev2-12.18.2
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
- CVE-2019-0201May 23, 2019affected < 4.0.2~dev2-12.20.1fixed 4.0.2~dev2-12.20.1
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuth
- CVE-2019-11596Apr 29, 2019affected < 4.0.2~dev2-12.20.1fixed 4.0.2~dev2-12.20.1
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
- CVE-2019-2628Apr 23, 2019affected < 4.0.2~dev2-12.16.2fixed 4.0.2~dev2-12.16.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compr
- CVE-2019-2627Apr 23, 2019affected < 4.0.2~dev2-12.16.2fixed 4.0.2~dev2-12.16.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with networ
- CVE-2019-2614Apr 23, 2019affected < 4.0.2~dev2-12.16.2fixed 4.0.2~dev2-12.16.2
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network acces
- CVE-2019-11068Apr 10, 2019affected < 4.0.1-12.11.1fixed 4.0.1-12.11.1
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
- CVE-2019-10876Apr 5, 2019affected < 4.0.1-12.11.1fixed 4.0.1-12.11.1
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes
- CVE-2019-3828Mar 27, 2019affected < 4.0.2~dev2-12.22.1fixed 4.0.2~dev2-12.22.1
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
- CVE-2019-3871Mar 21, 2019affected < 4.0.2~dev2-12.20.1fixed 4.0.2~dev2-12.20.1
A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of
- CVE-2019-9735Mar 13, 2019affected < 4.0.2~dev2-12.14.1fixed 4.0.2~dev2-12.14.1
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example,
Page 6 of 8