rpm package
suse/venv-openstack-trove&distro=SUSE OpenStack Cloud 8
pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
Vulnerabilities (140)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21238 | — | < 8.0.2~dev2-11.32.3 | 8.0.2~dev2-11.32.3 | Jan 21, 2021 | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig | ||
| CVE-2021-21239 | — | < 8.0.2~dev2-11.32.3 | 8.0.2~dev2-11.32.3 | Jan 21, 2021 | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted | ||
| CVE-2020-26247 | — | < 8.0.2~dev2-11.32.3 | 8.0.2~dev2-11.32.3 | Dec 30, 2020 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be acces | ||
| CVE-2020-29651 | — | < 8.0.2~dev2-11.32.3 | 8.0.2~dev2-11.32.3 | Dec 9, 2020 | A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. | ||
| CVE-2020-26137 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-14365 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Sep 23, 2020 | A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be | ||
| CVE-2020-14332 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Sep 11, 2020 | A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t | ||
| CVE-2020-14330 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Sep 11, 2020 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user | ||
| CVE-2020-25032 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. | ||
| CVE-2020-17376 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Aug 26, 2020 | An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar | ||
| CVE-2019-14904 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Aug 25, 2020 | A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw | ||
| CVE-2020-11110 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2020-10177 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | ||
| CVE-2020-10994 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | ||
| CVE-2020-10378 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | ||
| CVE-2020-13379 | — | < 8.0.2~dev2-11.26.1 | 8.0.2~dev2-11.26.1 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 8.0.2~dev2-11.26.1 | 8.0.2~dev2-11.26.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||
| CVE-2020-13254 | — | < 8.0.2~dev2-11.26.1 | 8.0.2~dev2-11.26.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | ||
| CVE-2018-18625 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | ||
| CVE-2018-18624 | — | < 8.0.2~dev2-11.28.1 | 8.0.2~dev2-11.28.1 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. |
- CVE-2021-21238Jan 21, 2021affected < 8.0.2~dev2-11.32.3fixed 8.0.2~dev2-11.32.3
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Sig
- CVE-2021-21239Jan 21, 2021affected < 8.0.2~dev2-11.32.3fixed 8.0.2~dev2-11.32.3
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted
- CVE-2020-26247Dec 30, 2020affected < 8.0.2~dev2-11.32.3fixed 8.0.2~dev2-11.32.3
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be acces
- CVE-2020-29651Dec 9, 2020affected < 8.0.2~dev2-11.32.3fixed 8.0.2~dev2-11.32.3
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
- CVE-2020-26137Sep 29, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-14365Sep 23, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be
- CVE-2020-14332Sep 11, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t
- CVE-2020-14330Sep 11, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user
- CVE-2020-25032Aug 31, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
- CVE-2020-17376Aug 26, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
- CVE-2019-14904Aug 25, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw
- CVE-2020-11110Jul 27, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2020-10177Jun 25, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- CVE-2020-10994Jun 25, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- CVE-2020-10378Jun 25, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- CVE-2020-13379Jun 3, 2020affected < 8.0.2~dev2-11.26.1fixed 8.0.2~dev2-11.26.1
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 8.0.2~dev2-11.26.1fixed 8.0.2~dev2-11.26.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- CVE-2020-13254Jun 3, 2020affected < 8.0.2~dev2-11.26.1fixed 8.0.2~dev2-11.26.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- CVE-2018-18625Jun 2, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
- CVE-2018-18624Jun 2, 2020affected < 8.0.2~dev2-11.28.1fixed 8.0.2~dev2-11.28.1
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Page 2 of 7