Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
Astra Linux SE 1.5
Astra Linux SE 1.6
Astra Linux SE 1.7
Astra Linux SE 1.8
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:ru.altx-soft.nix:def:181949
[Eng]
Version
1
Class
patch
ALTXid
395382
Language
Russian
Severity
High
Title
Обновление SUSE-SU-2022:1729-1 -- устранение уязвимостей в ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud
Description
This update for ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud fixes the security issues.
Family
unix
Product
release-notes-suse-openstack-cloud
python-lxml
openstack-barbican
grafana
ardana-barbican
Reference
VENDOR: SUSE-SU-2022:1729-1
VENDOR: SUSE-SU-2022:1729-1
Id:
SUSE-SU-2022:1729-1
Reference:
https://www.suse.com/support/update/announcement/2022/SUSE-SU-20221729-1/
CVE: CVE-2018-19787
CVE: CVE-2018-19787
Id:
CVE-2018-19787
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19787
Comment
: An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109 (MISC)
[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update (MLIST)
USN-3841-2 (UBUNTU)
USN-3841-1 (UBUNTU)
[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update (MLIST)
CVE: CVE-2020-27783
CVE: CVE-2020-27783
Id:
CVE-2020-27783
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
Comment
: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1901633 (MISC)
DSA-4810 (DEBIAN)
[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update (MLIST)
https://advisory.checkmarx.net/advisory/CX-2020-4286 (MISC)
https://security.netapp.com/advisory/ntap-20210521-0003/ (CONFIRM)
N/A (N/A)
FEDORA-2020-0e055ea503 ()
FEDORA-2020-307946cfb6 ()
CVE: CVE-2021-28957
CVE: CVE-2021-28957
Id:
CVE-2021-28957
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
Comment
: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://bugs.launchpad.net/lxml/+bug/1888153 (MISC)
https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270 (MISC)
[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update (MLIST)
https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999 (MISC)
DSA-4880 (DEBIAN)
https://security.netapp.com/advisory/ntap-20210521-0004/ (CONFIRM)
https://www.oracle.com/security-alerts/cpuoct2021.html (MISC)
GLSA-202208-06 (GENTOO)
FEDORA-2021-28723f9670 ()
FEDORA-2021-4cdb0f68c7 ()
CVE: CVE-2021-38155
CVE: CVE-2021-38155
Id:
CVE-2021-38155
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155
Comment
: OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE:
307 (Improper Restriction of Excessive Authentication Attempts)
References:
https://launchpad.net/bugs/1688137 (MISC)
https://security.openstack.org/ossa/OSSA-2021-003.html (CONFIRM)
[oss-security] 20210810 [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155) (MLIST)
[debian-lts-announce] 20240121 [SECURITY] [DLA 3714-1] keystone security update ()
CVE: CVE-2021-40085
CVE: CVE-2021-40085
Id:
CVE-2021-40085
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
Comment
: An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
HIGH
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References:
https://security.openstack.org/ossa/OSSA-2021-005.html (MISC)
https://launchpad.net/bugs/1939733 (MISC)
[oss-security] 20210831 [OSSA-2021-005] Neutron: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085) (MLIST)
[debian-lts-announce] 20211011 [SECURITY] [DLA 2781-1] neutron security update (MLIST)
DSA-4983 (DEBIAN)
[debian-lts-announce] 20220526 [SECURITY] [DLA 3027-1] neutron security update (MLIST)
CVE: CVE-2021-41182
CVE: CVE-2021-41182
Id:
CVE-2021-41182
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182
Comment
: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc (CONFIRM)
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 (MISC)
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ (MISC)
https://security.netapp.com/advisory/ntap-20211118-0004/ (CONFIRM)
https://www.drupal.org/sa-contrib-2022-004 (MISC)
https://www.drupal.org/sa-core-2022-002 (CONFIRM)
[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update (MLIST)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
https://www.tenable.com/security/tns-2022-09 (CONFIRM)
N/A (N/A)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2021-41183
CVE: CVE-2021-41183
Id:
CVE-2021-41183
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183
Comment
: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://bugs.jqueryui.com/ticket/15284 (MISC)
https://github.com/jquery/jquery-ui/pull/1953 (MISC)
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4 (CONFIRM)
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ (MISC)
https://security.netapp.com/advisory/ntap-20211118-0004/ (CONFIRM)
https://www.drupal.org/sa-contrib-2022-004 (MISC)
https://www.drupal.org/sa-core-2022-001 (CONFIRM)
https://www.drupal.org/sa-core-2022-002 (CONFIRM)
[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update (MLIST)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
https://www.tenable.com/security/tns-2022-09 (CONFIRM)
N/A (N/A)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2021-41184
CVE: CVE-2021-41184
Id:
CVE-2021-41184
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184
Comment
: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 (MISC)
https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 (CONFIRM)
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ (MISC)
https://security.netapp.com/advisory/ntap-20211118-0004/ (CONFIRM)
https://www.drupal.org/sa-core-2022-001 (CONFIRM)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
https://www.tenable.com/security/tns-2022-09 (CONFIRM)
N/A (N/A)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2021-43813
CVE: CVE-2021-43813
Id:
CVE-2021-43813
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43813
Comment
: Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE:
22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
References:
https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d (MISC)
https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/ (MISC)
https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q (CONFIRM)
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/ (MISC)
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/ (MISC)
https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f (MISC)
[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files (MLIST)
https://security.netapp.com/advisory/ntap-20220107-0006/ (CONFIRM)
CVE: CVE-2021-43818
CVE: CVE-2021-43818
Id:
CVE-2021-43818
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818
Comment
: lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
7.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
LOW
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 (MISC)
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776 (MISC)
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 (CONFIRM)
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a (MISC)
[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update (MLIST)
https://security.netapp.com/advisory/ntap-20220107-0005/ (CONFIRM)
DSA-5043 (DEBIAN)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
N/A (N/A)
GLSA-202208-06 (GENTOO)
FEDORA-2021-6e8fb79f90 ()
FEDORA-2021-9f9e7c5c4f ()
FEDORA-2022-96c79bf003 ()
FEDORA-2022-7129fbaeed ()
CVE: CVE-2021-44716
CVE: CVE-2021-44716
Id:
CVE-2021-44716
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716
Comment
: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
400 (Uncontrolled Resource Consumption ('Resource Exhaustion'))
References:
https://groups.google.com/g/golang-announce/c/hcmEScgc00k (CONFIRM)
https://security.netapp.com/advisory/ntap-20220121-0002/ (CONFIRM)
[debian-lts-announce] 20220121 [SECURITY] [DLA 2892-1] golang-1.7 security update (MLIST)
[debian-lts-announce] 20220121 [SECURITY] [DLA 2891-1] golang-1.8 security update (MLIST)
GLSA-202208-02 (GENTOO)
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf (MISC)
[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update (MLIST)
CVE: CVE-2022-22815
CVE: CVE-2022-22815
Id:
CVE-2022-22815
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815
Comment
: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
CVSSv2 Score:
6.4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
LOW
Availability impact:
LOW
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE:
665 (Improper Initialization)
References:
https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331 (MISC)
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling (MISC)
[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update (MLIST)
DSA-5053 (DEBIAN)
GLSA-202211-10 (GENTOO)
CVE: CVE-2022-22816
CVE: CVE-2022-22816
Id:
CVE-2022-22816
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816
Comment
: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVSSv2 Score:
6.4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
LOW
Availability impact:
LOW
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE:
125 (Out-of-bounds Read)
References:
https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331 (MISC)
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling (MISC)
[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update (MLIST)
DSA-5053 (DEBIAN)
GLSA-202211-10 (GENTOO)
CVE: CVE-2022-22817
CVE: CVE-2022-22817
Id:
CVE-2022-22817
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
Comment
: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval (MISC)
[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update (MLIST)
DSA-5053 (DEBIAN)
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security (CONFIRM)
GLSA-202211-10 (GENTOO)
[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update ()
CVE: CVE-2022-23451
CVE: CVE-2022-23451
Id:
CVE-2022-23451
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23451
Comment
: An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
CVSSv3 Score:
8.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE:
863 (Incorrect Authorization)
References:
https://review.opendev.org/c/openstack/barbican/+/811236 (MISC)
https://bugzilla.redhat.com/show_bug.cgi?id=2025089 (MISC)
https://access.redhat.com/security/cve/CVE-2022-23451 (MISC)
https://bugzilla.redhat.com/show_bug.cgi?id=2022878 (MISC)
https://storyboard.openstack.org/#%21/story/2009253 (MISC)
CVE: CVE-2022-23452
CVE: CVE-2022-23452
Id:
CVE-2022-23452
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23452
Comment
: An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVSSv3 Score:
4.9
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
HIGH
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE:
863 (Incorrect Authorization)
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2022908 (MISC)
https://access.redhat.com/security/cve/CVE-2022-23452 (MISC)
https://review.opendev.org/c/openstack/barbican/+/814200 (MISC)
https://bugzilla.redhat.com/show_bug.cgi?id=2025090 (MISC)
https://storyboard.openstack.org/#%21/story/2009297 (MISC)
CVE: CVE-2022-29970
CVE: CVE-2022-29970
Id:
CVE-2022-29970
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29970
Comment
: Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE:
22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
References:
https://github.com/sinatra/sinatra/pull/1683/commits/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e (MISC)
[debian-lts-announce] 20221028 [SECURITY] [DLA 3166-1] ruby-sinatra security update (MLIST)
Content available only for registered users!
ovaldb@altx-soft.com