SUSE update for python-Django
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU59181
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-45452
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the Storage.save() method. A remote user can pass a specially crafted HTTP filename to the application and write the file outside of the intended directory.
Update the affected package python-Django to the latest version.
Vulnerable software versionsSUSE OpenStack Cloud Crowbar: 8
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 8
venv-openstack-horizon-hpe-x86_64: before 12.0.5~dev6-14.43.2
venv-openstack-trove-x86_64: before 8.0.2~dev2-11.37.1
venv-openstack-swift-x86_64: before 2.15.2_2.15.2_2.15.2~dev32-11.28.1
venv-openstack-sahara-x86_64: before 7.0.5~dev4-11.37.1
venv-openstack-octavia-x86_64: before 1.0.6~dev3-12.38.1
venv-openstack-nova-x86_64: before 16.1.9~dev92-11.41.1
venv-openstack-neutron-x86_64: before 11.0.9~dev69-13.43.1
venv-openstack-murano-x86_64: before 4.0.2~dev2-12.33.1
venv-openstack-monasca-x86_64: before 2.2.2~dev1-11.40.1
venv-openstack-monasca-ceilometer-x86_64: before 1.5.1_1.5.1_1.5.1~dev3-8.33.1
venv-openstack-manila-x86_64: before 5.1.1~dev5-12.42.1
venv-openstack-magnum-x86_64: before 5.0.2_5.0.2_5.0.2~dev31-11.37.1
venv-openstack-keystone-x86_64: before 12.0.4~dev11-11.40.1
venv-openstack-ironic-x86_64: before 9.1.8~dev8-12.38.1
venv-openstack-horizon-x86_64: before 12.0.5~dev6-14.43.2
venv-openstack-heat-x86_64: before 9.0.8~dev22-12.40.1
venv-openstack-glance-x86_64: before 15.0.3~dev3-12.36.1
venv-openstack-freezer-x86_64: before 5.0.0.0~xrc2~dev2-10.33.1
venv-openstack-designate-x86_64: before 5.0.3~dev7-12.36.1
venv-openstack-cinder-x86_64: before 11.2.3~dev29-14.39.1
venv-openstack-ceilometer-x86_64: before 9.0.8~dev7-12.35.1
venv-openstack-barbican-x86_64: before 5.0.2~dev3-12.38.1
venv-openstack-aodh-x86_64: before 5.1.1~dev7-12.37.1
python-Django: before 1.11.29-3.39.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220286-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU60197
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22818
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when displaying information via the {% debug %} tag. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package python-Django to the latest version.
Vulnerable software versionsSUSE OpenStack Cloud Crowbar: 8
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 8
venv-openstack-horizon-hpe-x86_64: before 12.0.5~dev6-14.43.2
venv-openstack-trove-x86_64: before 8.0.2~dev2-11.37.1
venv-openstack-swift-x86_64: before 2.15.2_2.15.2_2.15.2~dev32-11.28.1
venv-openstack-sahara-x86_64: before 7.0.5~dev4-11.37.1
venv-openstack-octavia-x86_64: before 1.0.6~dev3-12.38.1
venv-openstack-nova-x86_64: before 16.1.9~dev92-11.41.1
venv-openstack-neutron-x86_64: before 11.0.9~dev69-13.43.1
venv-openstack-murano-x86_64: before 4.0.2~dev2-12.33.1
venv-openstack-monasca-x86_64: before 2.2.2~dev1-11.40.1
venv-openstack-monasca-ceilometer-x86_64: before 1.5.1_1.5.1_1.5.1~dev3-8.33.1
venv-openstack-manila-x86_64: before 5.1.1~dev5-12.42.1
venv-openstack-magnum-x86_64: before 5.0.2_5.0.2_5.0.2~dev31-11.37.1
venv-openstack-keystone-x86_64: before 12.0.4~dev11-11.40.1
venv-openstack-ironic-x86_64: before 9.1.8~dev8-12.38.1
venv-openstack-horizon-x86_64: before 12.0.5~dev6-14.43.2
venv-openstack-heat-x86_64: before 9.0.8~dev22-12.40.1
venv-openstack-glance-x86_64: before 15.0.3~dev3-12.36.1
venv-openstack-freezer-x86_64: before 5.0.0.0~xrc2~dev2-10.33.1
venv-openstack-designate-x86_64: before 5.0.3~dev7-12.36.1
venv-openstack-cinder-x86_64: before 11.2.3~dev29-14.39.1
venv-openstack-ceilometer-x86_64: before 9.0.8~dev7-12.35.1
venv-openstack-barbican-x86_64: before 5.0.2~dev3-12.38.1
venv-openstack-aodh-x86_64: before 5.1.1~dev7-12.37.1
python-Django: before 1.11.29-3.39.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220286-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Infinite loop
EUVDB-ID: #VU60198
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-23833
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing files. A remote attacker can upload a specially crafted file to the server, consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package python-Django to the latest version.
Vulnerable software versionsSUSE OpenStack Cloud Crowbar: 8
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 8
venv-openstack-horizon-hpe-x86_64: before 12.0.5~dev6-14.43.2
venv-openstack-trove-x86_64: before 8.0.2~dev2-11.37.1
venv-openstack-swift-x86_64: before 2.15.2_2.15.2_2.15.2~dev32-11.28.1
venv-openstack-sahara-x86_64: before 7.0.5~dev4-11.37.1
venv-openstack-octavia-x86_64: before 1.0.6~dev3-12.38.1
venv-openstack-nova-x86_64: before 16.1.9~dev92-11.41.1
venv-openstack-neutron-x86_64: before 11.0.9~dev69-13.43.1
venv-openstack-murano-x86_64: before 4.0.2~dev2-12.33.1
venv-openstack-monasca-x86_64: before 2.2.2~dev1-11.40.1
venv-openstack-monasca-ceilometer-x86_64: before 1.5.1_1.5.1_1.5.1~dev3-8.33.1
venv-openstack-manila-x86_64: before 5.1.1~dev5-12.42.1
venv-openstack-magnum-x86_64: before 5.0.2_5.0.2_5.0.2~dev31-11.37.1
venv-openstack-keystone-x86_64: before 12.0.4~dev11-11.40.1
venv-openstack-ironic-x86_64: before 9.1.8~dev8-12.38.1
venv-openstack-horizon-x86_64: before 12.0.5~dev6-14.43.2
venv-openstack-heat-x86_64: before 9.0.8~dev22-12.40.1
venv-openstack-glance-x86_64: before 15.0.3~dev3-12.36.1
venv-openstack-freezer-x86_64: before 5.0.0.0~xrc2~dev2-10.33.1
venv-openstack-designate-x86_64: before 5.0.3~dev7-12.36.1
venv-openstack-cinder-x86_64: before 11.2.3~dev29-14.39.1
venv-openstack-ceilometer-x86_64: before 9.0.8~dev7-12.35.1
venv-openstack-barbican-x86_64: before 5.0.2~dev3-12.38.1
venv-openstack-aodh-x86_64: before 5.1.1~dev7-12.37.1
python-Django: before 1.11.29-3.39.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20220286-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
