rpm package
suse/venv-openstack-nova&distro=HPE Helion OpenStack 8
pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208
Vulnerabilities (142)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-18624 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18623 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2020-11077 | — | < 16.1.9~dev61-11.28.2 | 16.1.9~dev61-11.28.2 | May 22, 2020 | In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis | ||
| CVE-2020-11076 | — | < 16.1.9~dev61-11.28.2 | 16.1.9~dev61-11.28.2 | May 22, 2020 | In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. | ||
| CVE-2020-10744 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | May 15, 2020 | An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18 | ||
| CVE-2020-1746 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | May 12, 2020 | A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are use | ||
| CVE-2020-8151 | — | < 16.1.9~dev61-11.28.2 | 16.1.9~dev61-11.28.2 | May 12, 2020 | There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. | ||
| CVE-2020-10685 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | May 11, 2020 | A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, | ||
| CVE-2020-10691 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Apr 30, 2020 | An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwr | ||
| CVE-2020-10663 | — | < 16.1.9~dev61-11.28.2 | 16.1.9~dev61-11.28.2 | Apr 28, 2020 | The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, | ||
| CVE-2020-12052 | — | < 16.1.9~dev61-11.28.2 | 16.1.9~dev61-11.28.2 | Apr 27, 2020 | Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | ||
| CVE-2018-17954 | — | < 16.1.9~dev49-11.24.2 | 16.1.9~dev49-11.24.2 | Apr 3, 2020 | An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a | ||
| CVE-2019-14905 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 31, 2020 | A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parame | ||
| CVE-2020-10684 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 24, 2020 | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker | ||
| CVE-2020-1738 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 16, 2020 | A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x | ||
| CVE-2020-1740 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 16, 2020 | A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descripto | ||
| CVE-2020-1735 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 16, 2020 | A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. | ||
| CVE-2020-1736 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 16, 2020 | A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restricti | ||
| CVE-2020-1753 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 16, 2020 | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are | ||
| CVE-2020-1739 | — | < 16.1.9~dev76-11.30.1 | 16.1.9~dev76-11.30.1 | Mar 12, 2020 | A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cm |
- CVE-2018-18624Jun 2, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18623Jun 2, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2020-11077May 22, 2020affected < 16.1.9~dev61-11.28.2fixed 16.1.9~dev61-11.28.2
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis
- CVE-2020-11076May 22, 2020affected < 16.1.9~dev61-11.28.2fixed 16.1.9~dev61-11.28.2
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
- CVE-2020-10744May 15, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18
- CVE-2020-1746May 12, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are use
- CVE-2020-8151May 12, 2020affected < 16.1.9~dev61-11.28.2fixed 16.1.9~dev61-11.28.2
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
- CVE-2020-10685May 11, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble,
- CVE-2020-10691Apr 30, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwr
- CVE-2020-10663Apr 28, 2020affected < 16.1.9~dev61-11.28.2fixed 16.1.9~dev61-11.28.2
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically,
- CVE-2020-12052Apr 27, 2020affected < 16.1.9~dev61-11.28.2fixed 16.1.9~dev61-11.28.2
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
- CVE-2018-17954Apr 3, 2020affected < 16.1.9~dev49-11.24.2fixed 16.1.9~dev49-11.24.2
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue a
- CVE-2019-14905Mar 31, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parame
- CVE-2020-10684Mar 24, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker
- CVE-2020-1738Mar 16, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x
- CVE-2020-1740Mar 16, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descripto
- CVE-2020-1735Mar 16, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
- CVE-2020-1736Mar 16, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restricti
- CVE-2020-1753Mar 16, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are
- CVE-2020-1739Mar 12, 2020affected < 16.1.9~dev76-11.30.1fixed 16.1.9~dev76-11.30.1
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cm
Page 3 of 8