Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkzOW0tNHhwdy12MzR2
Arbitrary Code Execution in blazar-dashboard
An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.
Permalink: https://github.com/advisories/GHSA-939m-4xpw-v34vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkzOW0tNHhwdy12MzR2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-939m-4xpw-v34v, CVE-2020-26943
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-26943
- https://launchpad.net/bugs/1895688
- https://review.opendev.org/755810
- https://review.opendev.org/755812
- https://review.opendev.org/755813
- https://review.opendev.org/755814
- https://review.opendev.org/756064
- https://security.openstack.org/ossa/OSSA-2020-007.html
- http://www.openwall.com/lists/oss-security/2020/10/16/5
- https://github.com/advisories/GHSA-939m-4xpw-v34v
Affected Packages
pypi:blazar-dashboard
Dependent packages: 0Dependent repositories: 1
Downloads: 299 last month
Affected Version Ranges: = 3.0.0, = 2.0.0, < 1.3.1
Fixed in: 3.0.1, 2.0.1, 1.3.1
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 2.0.0, 3.0.0
All unaffected versions: 1.3.1, 2.0.1, 3.0.1, 4.0.0, 5.0.0, 6.0.0, 7.0.0, 8.0.0, 9.0.0, 10.0.0, 11.0.0