Filtered by vendor Redhat
Subscriptions
Filtered by product Satellite Capsule
Subscriptions
Total
286 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-26130 | 2 Cryptography.io, Redhat | 5 Cryptography, Ansible Automation Platform, Rhui and 2 more | 2025-02-05 | 7.5 High |
| cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. | ||||
| CVE-2023-1894 | 2 Puppet, Redhat | 4 Puppet Enterprise, Puppet Server, Satellite and 1 more | 2025-01-29 | 5.3 Medium |
| A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations. | ||||
| CVE-2023-31047 | 3 Djangoproject, Fedoraproject, Redhat | 5 Django, Fedora, Rhui and 2 more | 2025-01-29 | 9.8 Critical |
| In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. | ||||
| CVE-2022-40896 | 2 Pygments, Redhat | 4 Pygments, Ansible Automation Platform, Satellite and 1 more | 2024-11-27 | 5.5 Medium |
| A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. | ||||
| CVE-2016-1000111 | 2 Redhat, Twisted | 4 Enterprise Linux, Satellite, Satellite Capsule and 1 more | 2024-11-25 | 5.3 Medium |
| Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | ||||
| CVE-2019-12387 | 5 Canonical, Fedoraproject, Oracle and 2 more | 8 Ubuntu Linux, Fedora, Solaris and 5 more | 2024-11-25 | 6.1 Medium |
| In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF. | ||||
| CVE-2023-37276 | 3 Aio-libs Project, Aiohttp, Redhat | 5 Aiohttp, Aiohttp, Rhui and 2 more | 2024-11-21 | 5.3 Medium |
| aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable. | ||||
| CVE-2023-0462 | 2 Redhat, Theforeman | 4 Satellite, Satellite Capsule, Satellite Utils and 1 more | 2024-11-21 | 8 High |
| An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload. | ||||
| CVE-2023-0119 | 1 Redhat | 5 Enterprise Linux, Satellite, Satellite Capsule and 2 more | 2024-11-21 | 5.4 Medium |
| A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials. | ||||
| CVE-2023-0118 | 2 Redhat, Theforeman | 6 Enterprise Linux, Satellite, Satellite Capsule and 3 more | 2024-11-21 | 9.1 Critical |
| An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system. | ||||
| CVE-2022-42003 | 5 Debian, Fasterxml, Netapp and 2 more | 23 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 20 more | 2024-11-21 | 7.5 High |
| In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||||
| CVE-2022-3874 | 2 Redhat, Theforeman | 4 Satellite, Satellite Capsule, Satellite Utils and 1 more | 2024-11-21 | 8 High |
| A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system. | ||||
| CVE-2022-30122 | 3 Debian, Rack Project, Redhat | 5 Debian Linux, Rack, Satellite and 2 more | 2024-11-21 | 7.5 High |
| A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. | ||||
| CVE-2022-24836 | 5 Apple, Debian, Fedoraproject and 2 more | 6 Macos, Debian Linux, Fedora and 3 more | 2024-11-21 | 7.5 High |
| Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. | ||||
| CVE-2022-23833 | 4 Debian, Djangoproject, Fedoraproject and 1 more | 6 Debian Linux, Django, Fedora and 3 more | 2024-11-21 | 7.5 High |
| An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. | ||||
| CVE-2022-22818 | 4 Debian, Djangoproject, Fedoraproject and 1 more | 6 Debian Linux, Django, Fedora and 3 more | 2024-11-21 | 6.1 Medium |
| The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. | ||||
| CVE-2021-4142 | 2 Candlepinproject, Redhat | 4 Candlepin, Satellite, Satellite Capsule and 1 more | 2024-11-21 | 5.5 Medium |
| The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin. | ||||
| CVE-2021-45452 | 3 Djangoproject, Fedoraproject, Redhat | 4 Django, Fedora, Satellite and 1 more | 2024-11-21 | 5.3 Medium |
| Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. | ||||
| CVE-2021-45115 | 3 Djangoproject, Fedoraproject, Redhat | 4 Django, Fedora, Satellite and 1 more | 2024-11-21 | 7.5 High |
| An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. | ||||
| CVE-2021-44568 | 2 Opensuse, Redhat | 3 Libsolv, Satellite, Satellite Capsule | 2024-11-21 | 6.5 Medium |
| Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service. | ||||