csaf_suse - suse-su-2020:3624-1

suse-su-2020:3624-1

Vulnerability from csaf_suse

Published

2020-12-04 11:50

Modified

2020-12-04 11:50

Summary

Security update for crowbar-openstack, grafana, influxdb, python-urllib3

Notes

Title of the patch

Security update for crowbar-openstack, grafana, influxdb, python-urllib3

Description of the patch

This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes: Security fixes included in this update: openstack-glance - CVE-2016-8611: Added rate limiting for glance api (bnc#1005886) grafana - CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243) influxdb - CVE-2019-20933: Fixed an authentication bypass (bnc#1178988) python-urlib3 - CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071). - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120) memcached - CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903). Non-security fixes included in this update: Changes in crowbar-openstack: - Update to version 4.0+git.1604938545.30c10db18: * rabbitmq: Fix crm running check (SOC-11240) Changes in grafana: - Fix bnc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch Changes in influxdb: - Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix authentication bypass_ - Declare license files correctly - Version 1.2.4: * The stress tool influx_stress will be removed in a subsequent release. * Remove the override of GOMAXPROCS. * Uncomment section headers from the default configuration file. * Improve write performance significantly. * Prune data in meta store for deleted shards. * Update latest dependencies with Godeps. * Introduce syntax for marking a partial response with chunking. * Use X-Forwarded-For IP address in HTTP logger if present. * Add support for secure transmission via collectd. * Switch logging to use structured logging everywhere. * [CLI feature request] USE retention policy for queries. * Add clear command to cli. * Adding ability to use parameters in queries in the v2 client using the Parameters map in the Query struct. * Allow add items to array config via ENV * Support subquery execution in the query language. * Verbose output for SSL connection errors. * Cache snapshotting performance improvements - Partially revert previous change to fix build for Leap Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution. - Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740. - Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bnc#1177120, CVE-2020-26137)

Patchnames

SUSE-2020-3624,SUSE-OpenStack-Cloud-7-2020-3624

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for crowbar-openstack, grafana, influxdb, python-urllib3",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes:\n\nSecurity fixes included in this update:\n\nopenstack-glance\n- CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)\n\ngrafana\n- CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243)\n\ninfluxdb\n- CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)\n\npython-urlib3\n- CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071).\n- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120)\n\nmemcached\n- CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903).\n\nNon-security fixes included in this update:\n\nChanges in crowbar-openstack:\n- Update to version 4.0+git.1604938545.30c10db18:\n  * rabbitmq: Fix crm running check (SOC-11240)\n\nChanges in grafana:\n- Fix bnc#1178243 CVE-2020-24303 by adding\n  25401-Fix-XSS-vulnerability-with-series-overrides.patch\n\nChanges in influxdb:\n- Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to\n  fix authentication bypass_\n- Declare license files correctly\n\n- Version 1.2.4:\n  * The stress tool influx_stress will be removed in a subsequent\n    release.\n  * Remove the override of GOMAXPROCS.\n  * Uncomment section headers from the default configuration file.\n  * Improve write performance significantly.\n  * Prune data in meta store for deleted shards.\n  * Update latest dependencies with Godeps.\n  * Introduce syntax for marking a partial response with chunking.\n  * Use X-Forwarded-For IP address in HTTP logger if present.\n  * Add support for secure transmission via collectd.\n  * Switch logging to use structured logging everywhere.\n  * [CLI feature request] USE retention policy for queries.\n  * Add clear command to cli.\n  * Adding ability to use parameters in queries in the v2 client\n    using the Parameters map in the Query struct.\n  * Allow add items to array config via ENV\n  * Support subquery execution in the query language.\n  * Verbose output for SSL connection errors.\n  * Cache snapshotting performance improvements\n\n- Partially revert previous change to fix build for Leap\n\nChanges in python-urllib3:\n- Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.\n\n- Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for\n  CVE-2019-9740.\n\n- Add urllib3-cve-2020-26137.patch. Don\u0027t allow control chars in request\n  method. (bnc#1177120, CVE-2020-26137)\n\n  ",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2020-3624,SUSE-OpenStack-Cloud-7-2020-3624",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_3624-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2020:3624-1",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-20203624-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2020:3624-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-December/007916.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1005886",
        "url": "https://bugzilla.suse.com/1005886"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1170479",
        "url": "https://bugzilla.suse.com/1170479"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1177120",
        "url": "https://bugzilla.suse.com/1177120"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1178243",
        "url": "https://bugzilla.suse.com/1178243"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1178988",
        "url": "https://bugzilla.suse.com/1178988"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-8611 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-8611/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-20933 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-20933/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-9740 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-9740/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-24303 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-24303/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-26137 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-26137/"
      }
    ],
    "title": "Security update for crowbar-openstack, grafana, influxdb, python-urllib3",
    "tracking": {
      "current_release_date": "2020-12-04T11:50:23Z",
      "generator": {
        "date": "2020-12-04T11:50:23Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2020:3624-1",
      "initial_release_date": "2020-12-04T11:50:23Z",
      "revision_history": [
        {
          "date": "2020-12-04T11:50:23Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-6.7.4-1.20.1.aarch64",
                "product": {
                  "name": "grafana-6.7.4-1.20.1.aarch64",
                  "product_id": "grafana-6.7.4-1.20.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-1.2.4-5.1.aarch64",
                "product": {
                  "name": "influxdb-1.2.4-5.1.aarch64",
                  "product_id": "influxdb-1.2.4-5.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-devel-1.2.4-5.1.aarch64",
                "product": {
                  "name": "influxdb-devel-1.2.4-5.1.aarch64",
                  "product_id": "influxdb-devel-1.2.4-5.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
                "product": {
                  "name": "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
                  "product_id": "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python-urllib3-1.16-3.12.1.noarch",
                "product": {
                  "name": "python-urllib3-1.16-3.12.1.noarch",
                  "product_id": "python-urllib3-1.16-3.12.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-6.7.4-1.20.1.ppc64le",
                "product": {
                  "name": "grafana-6.7.4-1.20.1.ppc64le",
                  "product_id": "grafana-6.7.4-1.20.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-1.2.4-5.1.ppc64le",
                "product": {
                  "name": "influxdb-1.2.4-5.1.ppc64le",
                  "product_id": "influxdb-1.2.4-5.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-devel-1.2.4-5.1.ppc64le",
                "product": {
                  "name": "influxdb-devel-1.2.4-5.1.ppc64le",
                  "product_id": "influxdb-devel-1.2.4-5.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-6.7.4-1.20.1.s390x",
                "product": {
                  "name": "grafana-6.7.4-1.20.1.s390x",
                  "product_id": "grafana-6.7.4-1.20.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-1.2.4-5.1.s390x",
                "product": {
                  "name": "influxdb-1.2.4-5.1.s390x",
                  "product_id": "influxdb-1.2.4-5.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-devel-1.2.4-5.1.s390x",
                "product": {
                  "name": "influxdb-devel-1.2.4-5.1.s390x",
                  "product_id": "influxdb-devel-1.2.4-5.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-6.7.4-1.20.1.x86_64",
                "product": {
                  "name": "grafana-6.7.4-1.20.1.x86_64",
                  "product_id": "grafana-6.7.4-1.20.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-1.2.4-5.1.x86_64",
                "product": {
                  "name": "influxdb-1.2.4-5.1.x86_64",
                  "product_id": "influxdb-1.2.4-5.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "influxdb-devel-1.2.4-5.1.x86_64",
                "product": {
                  "name": "influxdb-devel-1.2.4-5.1.x86_64",
                  "product_id": "influxdb-devel-1.2.4-5.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 7",
                "product": {
                  "name": "SUSE OpenStack Cloud 7",
                  "product_id": "SUSE OpenStack Cloud 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch"
        },
        "product_reference": "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-6.7.4-1.20.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64"
        },
        "product_reference": "grafana-6.7.4-1.20.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "influxdb-1.2.4-5.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64"
        },
        "product_reference": "influxdb-1.2.4-5.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-urllib3-1.16-3.12.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
        },
        "product_reference": "python-urllib3-1.16-3.12.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-8611",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-8611"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
          "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
          "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-8611",
          "url": "https://www.suse.com/security/cve/CVE-2016-8611"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1005886 for CVE-2016-8611",
          "url": "https://bugzilla.suse.com/1005886"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-04T11:50:23Z",
          "details": "low"
        }
      ],
      "title": "CVE-2016-8611"
    },
    {
      "cve": "CVE-2019-20933",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-20933"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
          "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
          "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-20933",
          "url": "https://www.suse.com/security/cve/CVE-2019-20933"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1178988 for CVE-2019-20933",
          "url": "https://bugzilla.suse.com/1178988"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-04T11:50:23Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-20933"
    },
    {
      "cve": "CVE-2019-9740",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-9740"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
          "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
          "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-9740",
          "url": "https://www.suse.com/security/cve/CVE-2019-9740"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1129071 for CVE-2019-9740",
          "url": "https://bugzilla.suse.com/1129071"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1130840 for CVE-2019-9740",
          "url": "https://bugzilla.suse.com/1130840"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1132663 for CVE-2019-9740",
          "url": "https://bugzilla.suse.com/1132663"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-04T11:50:23Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-9740"
    },
    {
      "cve": "CVE-2020-24303",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-24303"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
          "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
          "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-24303",
          "url": "https://www.suse.com/security/cve/CVE-2020-24303"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1178243 for CVE-2020-24303",
          "url": "https://bugzilla.suse.com/1178243"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-04T11:50:23Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-24303"
    },
    {
      "cve": "CVE-2020-26137",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-26137"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
          "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
          "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
          "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-26137",
          "url": "https://www.suse.com/security/cve/CVE-2020-26137"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1177120 for CVE-2020-26137",
          "url": "https://bugzilla.suse.com/1177120"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1177211 for CVE-2020-26137",
          "url": "https://bugzilla.suse.com/1177211"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch",
            "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64",
            "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64",
            "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-04T11:50:23Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-26137"
    }
  ]
}

CVE-2016-8611 (GCVE-0-2016-8611)

Vulnerability from cvelistv5

Published

2018-07-31 20:00

Modified

2024-08-06 02:27

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400

Summary

A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.

References

►

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8611	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1037312	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/94378	vdb-entry, x_refsource_BID
	https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05333384	x_refsource_CONFIRM
	http://seclists.org/oss-sec/2016/q4/266	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	The Openstack Foundation	openstack-glance	Version: v1 and v2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:27:41.035Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8611"
          },
          {
            "name": "1037312",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1037312"
          },
          {
            "name": "94378",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94378"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c05333384"
          },
          {
            "name": "[oss-security] 20161027 [OSSN-0076] Glance Image service v1 and v2 api image-create vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2016/q4/266"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openstack-glance",
          "vendor": "The Openstack Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "v1 and v2"
            }
          ]
        }
      ],
      "datePublic": "2016-10-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-02T16:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8611"
        },
        {
          "name": "1037312",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1037312"
        },
        {
          "name": "94378",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94378"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c05333384"
        },
        {
          "name": "[oss-security] 20161027 [OSSN-0076] Glance Image service v1 and v2 api image-create vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2016/q4/266"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-8611",
    "datePublished": "2018-07-31T20:00:00",
    "dateReserved": "2016-10-12T00:00:00",
    "dateUpdated": "2024-08-06T02:27:41.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-9740 (GCVE-0-2019-9740)

Vulnerability from cvelistv5

Published

2019-03-13 03:00

Modified

2024-08-04 22:01

Severity ?

CWE

Summary

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

References

►

URL

Tags

	http://www.securityfocus.com/bid/107466	vdb-entry, x_refsource_BID
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/	vendor-advisory, x_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2019:1260	vendor-advisory, x_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/	vendor-advisory, x_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/	vendor-advisory, x_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2019:2030	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/4127-2/	vendor-advisory, x_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html	vendor-advisory, x_refsource_SUSE
	https://usn.ubuntu.com/4127-1/	vendor-advisory, x_refsource_UBUNTU
	https://seclists.org/bugtraq/2019/Oct/29	mailing-list, x_refsource_BUGTRAQ
	https://access.redhat.com/errata/RHSA-2019:3335	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:3520	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:3725	vendor-advisory, x_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/202003-26	vendor-advisory, x_refsource_GENTOO
	https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	mailing-list, x_refsource_MLIST
	http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/02/04/2	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://bugs.python.org/issue36276	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20190619-0005/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:01:54.079Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107466",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107466"
          },
          {
            "name": "FEDORA-2019-1ffd6b6064",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"
          },
          {
            "name": "RHSA-2019:1260",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1260"
          },
          {
            "name": "FEDORA-2019-ec26883852",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"
          },
          {
            "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
          },
          {
            "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"
          },
          {
            "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"
          },
          {
            "name": "FEDORA-2019-7723d4774a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"
          },
          {
            "name": "FEDORA-2019-7df59302e0",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"
          },
          {
            "name": "RHSA-2019:2030",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2030"
          },
          {
            "name": "USN-4127-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4127-2/"
          },
          {
            "name": "openSUSE-SU-2019:2131",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"
          },
          {
            "name": "openSUSE-SU-2019:2133",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"
          },
          {
            "name": "USN-4127-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4127-1/"
          },
          {
            "name": "20191021 [slackware-security] python (SSA:2019-293-01)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Oct/29"
          },
          {
            "name": "RHSA-2019:3335",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3335"
          },
          {
            "name": "RHSA-2019:3520",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3520"
          },
          {
            "name": "RHSA-2019:3725",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3725"
          },
          {
            "name": "FEDORA-2019-b06ec6159b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"
          },
          {
            "name": "FEDORA-2019-d202cda4f8",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"
          },
          {
            "name": "FEDORA-2019-57462fa10d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"
          },
          {
            "name": "GLSA-202003-26",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-26"
          },
          {
            "name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
          },
          {
            "name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html"
          },
          {
            "name": "[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection \u0026 Server Response Validation",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.python.org/issue36276"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190619-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-03-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:13:15",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "107466",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107466"
        },
        {
          "name": "FEDORA-2019-1ffd6b6064",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"
        },
        {
          "name": "RHSA-2019:1260",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1260"
        },
        {
          "name": "FEDORA-2019-ec26883852",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"
        },
        {
          "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
        },
        {
          "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"
        },
        {
          "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"
        },
        {
          "name": "FEDORA-2019-7723d4774a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"
        },
        {
          "name": "FEDORA-2019-7df59302e0",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"
        },
        {
          "name": "RHSA-2019:2030",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2030"
        },
        {
          "name": "USN-4127-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4127-2/"
        },
        {
          "name": "openSUSE-SU-2019:2131",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"
        },
        {
          "name": "openSUSE-SU-2019:2133",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"
        },
        {
          "name": "USN-4127-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4127-1/"
        },
        {
          "name": "20191021 [slackware-security] python (SSA:2019-293-01)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Oct/29"
        },
        {
          "name": "RHSA-2019:3335",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3335"
        },
        {
          "name": "RHSA-2019:3520",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3520"
        },
        {
          "name": "RHSA-2019:3725",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3725"
        },
        {
          "name": "FEDORA-2019-b06ec6159b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"
        },
        {
          "name": "FEDORA-2019-d202cda4f8",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"
        },
        {
          "name": "FEDORA-2019-57462fa10d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"
        },
        {
          "name": "GLSA-202003-26",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-26"
        },
        {
          "name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
        },
        {
          "name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html"
        },
        {
          "name": "[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection \u0026 Server Response Validation",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.python.org/issue36276"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190619-0005/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-9740",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107466",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107466"
            },
            {
              "name": "FEDORA-2019-1ffd6b6064",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"
            },
            {
              "name": "RHSA-2019:1260",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1260"
            },
            {
              "name": "FEDORA-2019-ec26883852",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/"
            },
            {
              "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
            },
            {
              "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"
            },
            {
              "name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-2] python3.4 regression update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"
            },
            {
              "name": "FEDORA-2019-7723d4774a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/"
            },
            {
              "name": "FEDORA-2019-7df59302e0",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/"
            },
            {
              "name": "RHSA-2019:2030",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2030"
            },
            {
              "name": "USN-4127-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4127-2/"
            },
            {
              "name": "openSUSE-SU-2019:2131",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"
            },
            {
              "name": "openSUSE-SU-2019:2133",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"
            },
            {
              "name": "USN-4127-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4127-1/"
            },
            {
              "name": "20191021 [slackware-security] python (SSA:2019-293-01)",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Oct/29"
            },
            {
              "name": "RHSA-2019:3335",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3335"
            },
            {
              "name": "RHSA-2019:3520",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3520"
            },
            {
              "name": "RHSA-2019:3725",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3725"
            },
            {
              "name": "FEDORA-2019-b06ec6159b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/"
            },
            {
              "name": "FEDORA-2019-d202cda4f8",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/"
            },
            {
              "name": "FEDORA-2019-57462fa10d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/"
            },
            {
              "name": "GLSA-202003-26",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-26"
            },
            {
              "name": "[debian-lts-announce] 20200715 [SECURITY] [DLA 2280-1] python3.5 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
            },
            {
              "name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html"
            },
            {
              "name": "[oss-security] 20210204 [CVE-2020-15693, CVE-2020-15694] Nim - stdlib Httpclient - Header Crlf Injection \u0026 Server Response Validation",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "https://bugs.python.org/issue36276",
              "refsource": "MISC",
              "url": "https://bugs.python.org/issue36276"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190619-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190619-0005/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-9740",
    "datePublished": "2019-03-13T03:00:00",
    "dateReserved": "2019-03-12T00:00:00",
    "dateUpdated": "2024-08-04T22:01:54.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-20933 (GCVE-0-2019-20933)

Vulnerability from cvelistv5

Published

2020-11-19 01:50

Modified

2024-08-05 03:00

Severity ?

CWE

Summary

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

References

►

URL

Tags

	https://github.com/influxdata/influxdb/issues/12927	x_refsource_MISC
	https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6	x_refsource_MISC
	https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2021/dsa-4823	vendor-advisory, x_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:00:18.714Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/influxdata/influxdb/issues/12927"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"
          },
          {
            "name": "[debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"
          },
          {
            "name": "DSA-4823",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4823"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-02T15:07:39",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/influxdata/influxdb/issues/12927"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"
        },
        {
          "name": "[debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"
        },
        {
          "name": "DSA-4823",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4823"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-20933",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/influxdata/influxdb/issues/12927",
              "refsource": "MISC",
              "url": "https://github.com/influxdata/influxdb/issues/12927"
            },
            {
              "name": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6",
              "refsource": "MISC",
              "url": "https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6"
            },
            {
              "name": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0",
              "refsource": "MISC",
              "url": "https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0"
            },
            {
              "name": "[debian-lts-announce] 20201220 [SECURITY] [DLA 2501-1] influxdb security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00030.html"
            },
            {
              "name": "DSA-4823",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4823"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-20933",
    "datePublished": "2020-11-19T01:50:50",
    "dateReserved": "2020-11-19T00:00:00",
    "dateUpdated": "2024-08-05T03:00:18.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-24303 (GCVE-0-2020-24303)

Vulnerability from cvelistv5

Published

2020-10-28 13:25

Modified

2024-08-04 15:12

Severity ?

CWE

Summary

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

References

►

URL

Tags

	https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01	x_refsource_MISC
	https://github.com/grafana/grafana/pull/25401	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20201123-0002/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:12:08.961Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/pull/25401"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20201123-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-23T11:06:15",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grafana/grafana/pull/25401"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20201123-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-24303",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01",
              "refsource": "MISC",
              "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01"
            },
            {
              "name": "https://github.com/grafana/grafana/pull/25401",
              "refsource": "MISC",
              "url": "https://github.com/grafana/grafana/pull/25401"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20201123-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20201123-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-24303",
    "datePublished": "2020-10-28T13:25:22",
    "dateReserved": "2020-08-13T00:00:00",
    "dateUpdated": "2024-08-04T15:12:08.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26137 (GCVE-0-2020-26137)

Vulnerability from cvelistv5

Published

2020-09-29 00:00

Modified

2024-08-04 15:49

Severity ?

CWE

Summary

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References

►

URL

Tags

	https://bugs.python.org/issue39603
	https://github.com/urllib3/urllib3/pull/1800
	https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
	https://usn.ubuntu.com/4570-1/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html	mailing-list
	https://www.oracle.com/security-alerts/cpuoct2021.html
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html	mailing-list

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:49:07.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.python.org/issue39603"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/pull/1800"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
          },
          {
            "name": "USN-4570-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4570-1/"
          },
          {
            "name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-08T13:06:22.131100",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugs.python.org/issue39603"
        },
        {
          "url": "https://github.com/urllib3/urllib3/pull/1800"
        },
        {
          "url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
        },
        {
          "name": "USN-4570-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4570-1/"
        },
        {
          "name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-26137",
    "datePublished": "2020-09-29T00:00:00",
    "dateReserved": "2020-09-29T00:00:00",
    "dateUpdated": "2024-08-04T15:49:07.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2020:3624-1

Vulnerability from csaf_suse

CVE-2016-8611 (GCVE-0-2016-8611)

Vulnerability from cvelistv5

CVE-2019-9740 (GCVE-0-2019-9740)

Vulnerability from cvelistv5

CVE-2019-20933 (GCVE-0-2019-20933)

Vulnerability from cvelistv5

CVE-2020-24303 (GCVE-0-2020-24303)

Vulnerability from cvelistv5

CVE-2020-26137 (GCVE-0-2020-26137)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature