Search for packages
| purl | pkg:rpm/redhat/cephadm-ansible@1:4.1.4-1?arch=el9cp |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9bm9-9f5h-2yg5
Aliases: CVE-2024-42353 GHSA-mg3v-6m49-jhp3 PYSEC-2024-188 |
WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8. | There are no reported fixed by versions. |
|
VCID-ae1s-qa4g-eyes
Aliases: CVE-2022-23491 GHSA-43fp-rhv2-5gv8 PYSEC-2022-42986 |
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. | There are no reported fixed by versions. |
|
VCID-bxfr-hpkh-cyby
Aliases: CVE-2023-46136 GHSA-hrfv-mqp8-q5rw PYSEC-2023-221 |
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1. | There are no reported fixed by versions. |
|
VCID-ks48-yq6s-aue1
Aliases: CVE-2024-41184 |
keepalived: Integer overflow vulnerability in vrrp_ipsets_handler | There are no reported fixed by versions. |
|
VCID-kycs-rbvn-z3e7
Aliases: CVE-2023-23934 GHSA-px8h-6qxv-m22q PYSEC-2023-57 |
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. | There are no reported fixed by versions. |
|
VCID-qn4r-71h3-sbgb
Aliases: CVE-2023-25577 GHSA-xg9f-g7g7-2323 PYSEC-2023-58 |
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue. | There are no reported fixed by versions. |
|
VCID-rk14-bw25-2yhe
Aliases: CVE-2024-47191 |
A vulnerability has been discovered in OATH Toolkit, which could lead to local root privilege escalation. | There are no reported fixed by versions. |
|
VCID-xnny-adma-pycj
Aliases: CVE-2023-46159 |
ceph: RGW crash upon misconfigured CORS rule | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||