rpm package
suse/venv-openstack-nova&distro=SUSE OpenStack Cloud 9
pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209
Vulnerabilities (114)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-23931 | — | < 18.3.1~dev92-3.47.2 | 18.3.1~dev92-3.47.2 | Feb 7, 2023 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object | ||
| CVE-2022-47951 | — | < 18.3.1~dev92-3.45.1 | 18.3.1~dev92-3.45.1 | Jan 26, 2023 | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac | ||
| CVE-2022-3100 | — | < 18.3.1~dev92-3.43.1 | 18.3.1~dev92-3.43.1 | Jan 18, 2023 | A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. | ||
| CVE-2021-22141 | — | < 18.3.1~dev91-3.29.1 | 18.3.1~dev91-3.29.1 | Nov 18, 2022 | An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. | ||
| CVE-2022-23451 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | Sep 6, 2022 | An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p | ||
| CVE-2022-23452 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | Sep 1, 2022 | An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service. | ||
| CVE-2022-33891 | — | KEV | < 18.3.1~dev92-3.43.1 | 18.3.1~dev92-3.43.1 | Jul 18, 2022 | The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can | |
| CVE-2022-34265 | — | < 18.3.1~dev92-3.41.1 | 18.3.1~dev92-3.41.1 | Jul 4, 2022 | An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l | ||
| CVE-2022-29970 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | May 2, 2022 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | ||
| CVE-2022-28346 | — | < 18.3.1~dev92-3.41.1 | 18.3.1~dev92-3.41.1 | Apr 12, 2022 | An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. | ||
| CVE-2022-24790 | — | < 18.3.1~dev92-3.41.1 | 18.3.1~dev92-3.41.1 | Mar 30, 2022 | Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta | ||
| CVE-2022-23833 | — | < 18.3.1~dev91-3.34.1 | 18.3.1~dev91-3.34.1 | Feb 3, 2022 | An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. | ||
| CVE-2022-22818 | — | < 18.3.1~dev91-3.34.1 | 18.3.1~dev91-3.34.1 | Feb 3, 2022 | The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. | ||
| CVE-2022-23307 | — | < 18.3.1~dev91-3.37.1 | 18.3.1~dev91-3.37.1 | Jan 18, 2022 | CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||
| CVE-2022-23305 | — | < 18.3.1~dev91-3.37.1 | 18.3.1~dev91-3.37.1 | Jan 18, 2022 | By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering | ||
| CVE-2022-23302 | — | < 18.3.1~dev91-3.37.1 | 18.3.1~dev91-3.37.1 | Jan 18, 2022 | JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi | ||
| CVE-2022-22817 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | Jan 7, 2022 | PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | ||
| CVE-2022-22816 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. | ||
| CVE-2022-22815 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | ||
| CVE-2021-44716 | — | < 18.3.1~dev91-3.39.1 | 18.3.1~dev91-3.39.1 | Jan 1, 2022 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. |
- CVE-2023-23931Feb 7, 2023affected < 18.3.1~dev92-3.47.2fixed 18.3.1~dev92-3.47.2
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
- CVE-2022-47951Jan 26, 2023affected < 18.3.1~dev92-3.45.1fixed 18.3.1~dev92-3.45.1
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
- CVE-2022-3100Jan 18, 2023affected < 18.3.1~dev92-3.43.1fixed 18.3.1~dev92-3.43.1
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
- CVE-2021-22141Nov 18, 2022affected < 18.3.1~dev91-3.29.1fixed 18.3.1~dev91-3.29.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
- CVE-2022-23451Sep 6, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
- CVE-2022-23452Sep 1, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
- affected < 18.3.1~dev92-3.43.1fixed 18.3.1~dev92-3.43.1
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can
- CVE-2022-34265Jul 4, 2022affected < 18.3.1~dev92-3.41.1fixed 18.3.1~dev92-3.41.1
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe l
- CVE-2022-29970May 2, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
- CVE-2022-28346Apr 12, 2022affected < 18.3.1~dev92-3.41.1fixed 18.3.1~dev92-3.41.1
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
- CVE-2022-24790Mar 30, 2022affected < 18.3.1~dev92-3.41.1fixed 18.3.1~dev92-3.41.1
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
- CVE-2022-23833Feb 3, 2022affected < 18.3.1~dev91-3.34.1fixed 18.3.1~dev91-3.34.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
- CVE-2022-22818Feb 3, 2022affected < 18.3.1~dev91-3.34.1fixed 18.3.1~dev91-3.34.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
- CVE-2022-23307Jan 18, 2022affected < 18.3.1~dev91-3.37.1fixed 18.3.1~dev91-3.37.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23305Jan 18, 2022affected < 18.3.1~dev91-3.37.1fixed 18.3.1~dev91-3.37.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
- CVE-2022-23302Jan 18, 2022affected < 18.3.1~dev91-3.37.1fixed 18.3.1~dev91-3.37.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
- CVE-2022-22817Jan 7, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
- CVE-2022-22816Jan 7, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
- CVE-2022-22815Jan 7, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
- CVE-2021-44716Jan 1, 2022affected < 18.3.1~dev91-3.39.1fixed 18.3.1~dev91-3.39.1
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Page 1 of 6