openstack-dashboard (SUSE:OpenStack Cloud 9) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:OpenStack Cloud 9 package openstack-dashboard, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (55)
CVE-2020-7471 — CVSS 9.8 (critical): Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter…
CVE-2019-11068 — CVSS 9.8 (critical): libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon…
CVE-2018-11779 — CVSS 9.8 (critical): In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the…
CVE-2019-19844 — CVSS 9.8 (critical): Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to…
CVE-2018-17954 — CVSS 9.3 (critical): An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud…
CVE-2020-9402 — CVSS 8.8 (high): Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter…
CVE-2020-17376 — CVSS 8.3 (high): An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By…
CVE-2020-13379 — CVSS 8.2 (high): The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated…
CVE-2020-11538 — CVSS 8.1 (high): In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different…
CVE-2020-17516 — CVSS 7.5 (high): Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack'…
CVE-2021-33571 — CVSS 7.5 (high): In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do…
CVE-2021-31542 — CVSS 7.5 (high): In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory…
CVE-2021-27358 — CVSS 7.5 (high): The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a…
CVE-2017-11499 — CVSS 7.5 (high): Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to…
CVE-2019-0202 — CVSS 7.5 (high): The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm…
CVE-2019-15043 — CVSS 7.5 (high): In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service…
CVE-2020-8184 — CVSS 7.5 (high): A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is…
CVE-2019-16865 — CVSS 7.5 (high): An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very…
CVE-2019-19911 — CVSS 7.5 (high): There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer…
CVE-2020-29651 — CVSS 7.5 (high): A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to…
CVE-2020-25032 — CVSS 7.5 (high): An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private…
CVE-2019-16789 — CVSS 7.1 (high): In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that…
CVE-2019-16786 — CVSS 7.1 (high): Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not…
CVE-2019-16785 — CVSS 7.1 (high): Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and…
CVE-2019-16792 — CVSS 7.1 (high): Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double…
CVE-2020-10755 — CVSS 6.5 (medium): An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x…
CVE-2018-19039 — CVSS 6.5 (medium): Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin…
CVE-2019-10876 — CVSS 6.5 (medium): An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security…
CVE-2019-3871 — CVSS 6.5 (medium): A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from…
CVE-2021-21238 — CVSS 6.5 (medium): PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic…
CVE-2021-21239 — CVSS 6.5 (medium): PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic…
CVE-2020-13596 — CVSS 6.1 (medium): An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin…
CVE-2017-11481 — CVSS 6.1 (medium): Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to…
CVE-2018-18623 — CVSS 6.1 (medium): Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18625 — CVSS 6.1 (medium): Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for…
CVE-2018-18624 — CVSS 6.1 (medium): Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for…
CVE-2020-13254 — CVSS 5.9 (medium): An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key…
CVE-2021-23336 — CVSS 5.9 (medium): The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2…
CVE-2020-10378 — CVSS 5.5 (medium): In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed…
CVE-2020-10994 — CVSS 5.5 (medium): In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2020-11110 — CVSS 5.4 (medium): Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject…
CVE-2021-28658 — CVSS 5.3 (medium): In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with…
CVE-2019-25025 — CVSS 5.3 (medium): The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time…
CVE-2019-13117 — CVSS 5.3 (medium): In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumber…
CVE-2019-16770 — CVSS 5.3 (medium): In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a…
CVE-2021-3281 — CVSS 5.3 (medium): In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp…
CVE-2021-33203 — CVSS 4.9 (medium): Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff…
CVE-2020-10743 — CVSS 4.3 (medium): It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to…
CVE-2019-3828 — CVSS 4.2 (medium): Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files…