rpm package

suse/venv-openstack-swift&distro=SUSE OpenStack Cloud 9

pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209

Vulnerabilities (100)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-1625	—	< 2.19.3~dev3-2.36.3	2.19.3~dev3-2.36.3	Sep 24, 2023	An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the
CVE-2023-25577	—	< 2.19.3~dev3-2.36.3	2.19.3~dev3-2.36.3	Feb 14, 2023	Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory
CVE-2023-23931	—	< 2.19.2~dev48-2.34.2	2.19.2~dev48-2.34.2	Feb 7, 2023	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
CVE-2022-47951	—	< 2.19.2~dev48-2.32.1	2.19.2~dev48-2.32.1	Jan 26, 2023	An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
CVE-2022-47950	—	< 2.19.3~dev3-2.36.3	2.19.3~dev3-2.36.3	Jan 18, 2023	An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentiall
CVE-2021-22141	—	< 2.19.2~dev48-2.20.1	2.19.2~dev48-2.20.1	Nov 18, 2022	An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2022-23451	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Sep 6, 2022	An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Sep 1, 2022	An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-29970	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	May 2, 2022	Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-23833	—	< 2.19.2~dev48-2.25.1	2.19.2~dev48-2.25.1	Feb 3, 2022	An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818	—	< 2.19.2~dev48-2.25.1	2.19.2~dev48-2.25.1	Feb 3, 2022	The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-23307	—	< 2.19.2~dev48-2.28.1	2.19.2~dev48-2.28.1	Jan 18, 2022	CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305	—	< 2.19.2~dev48-2.28.1	2.19.2~dev48-2.28.1	Jan 18, 2022	By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302	—	< 2.19.2~dev48-2.28.1	2.19.2~dev48-2.28.1	Jan 18, 2022	JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2022-22817	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Jan 7, 2022	PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Jan 7, 2022	path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2021-44716	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Jan 1, 2022	net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-4104	—	< 2.19.2~dev48-2.22.1	2.19.2~dev48-2.22.1	Dec 14, 2021	JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
CVE-2021-43818	—	< 2.19.2~dev48-2.30.1	2.19.2~dev48-2.30.1	Dec 13, 2021	lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s

CVE-2023-1625Sep 24, 2023
affected < 2.19.3~dev3-2.36.3fixed 2.19.3~dev3-2.36.3
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the
CVE-2023-25577Feb 14, 2023
affected < 2.19.3~dev3-2.36.3fixed 2.19.3~dev3-2.36.3
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory
CVE-2023-23931Feb 7, 2023
affected < 2.19.2~dev48-2.34.2fixed 2.19.2~dev48-2.34.2
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object
CVE-2022-47951Jan 26, 2023
affected < 2.19.2~dev48-2.32.1fixed 2.19.2~dev48-2.32.1
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific bac
CVE-2022-47950Jan 18, 2023
affected < 2.19.3~dev3-2.36.3fixed 2.19.3~dev3-2.36.3
An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentiall
CVE-2021-22141Nov 18, 2022
affected < 2.19.2~dev48-2.20.1fixed 2.19.2~dev48-2.20.1
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
CVE-2022-23451Sep 6, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete p
CVE-2022-23452Sep 1, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVE-2022-29970May 2, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-23833Feb 3, 2022
affected < 2.19.2~dev48-2.25.1fixed 2.19.2~dev48-2.25.1
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2022-22818Feb 3, 2022
affected < 2.19.2~dev48-2.25.1fixed 2.19.2~dev48-2.25.1
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-23307Jan 18, 2022
affected < 2.19.2~dev48-2.28.1fixed 2.19.2~dev48-2.28.1
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23305Jan 18, 2022
affected < 2.19.2~dev48-2.28.1fixed 2.19.2~dev48-2.28.1
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering
CVE-2022-23302Jan 18, 2022
affected < 2.19.2~dev48-2.28.1fixed 2.19.2~dev48-2.28.1
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi
CVE-2022-22817Jan 7, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVE-2022-22816Jan 7, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-22815Jan 7, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVE-2021-44716Jan 1, 2022
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-4104Dec 14, 2021
affected < 2.19.2~dev48-2.22.1fixed 2.19.2~dev48-2.22.1
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t
CVE-2021-43818Dec 13, 2021
affected < 2.19.2~dev48-2.30.1fixed 2.19.2~dev48-2.30.1
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s

Page 1 of 5