Opensuse Backports Sle vulnerabilities

CVE-2020-6447 [HIGH] CWE-125 CVE-2020-6447: Inappropriate implementation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a rem Inappropriate implementation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6448 [HIGH] CWE-416 CVE-2020-6448: Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6438 [MEDIUM] CWE-209 CVE-2020-6438: Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed an atta Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.

CVE-2020-6444 [MEDIUM] CWE-908 CVE-2020-6444: Uninitialized use in WebRTC in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to pote Uninitialized use in WebRTC in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-20637 [HIGH] CWE-212 CVE-2019-20637: An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x b An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with

CVE-2020-11653 [HIGH] CWE-617 CVE-2020-11653: An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x b An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.

CVE-2019-14905 [MEDIUM] CWE-20 CVE-2019-14905: A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x b A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of con

CVE-2020-6095 [HIGH] CWE-690 CVE-2020-6095: An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/ An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.

CVE-2020-1772 [HIGH] CWE-155 CVE-2020-1772: It's possible to craft Lost Password requests with wildcards in the Token value, which allows attack It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

CVE-2020-1770 [MEDIUM] CWE-201 CVE-2020-1770: Support bundle generated files could contain sensitive information that might be unwanted to be disc Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

CVE-2020-1769 [MEDIUM] CWE-16 CVE-2020-1769: In the login screens (in agent and customer interface), Username and Password fields use autocomplet In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

CVE-2020-6424 [HIGH] CWE-416 CVE-2020-6424: Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potenti Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6429 [HIGH] CWE-787 CVE-2020-6429: Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potenti Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6449 [HIGH] CWE-416 CVE-2020-6449: Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potenti Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-10593 [HIGH] CWE-401 CVE-2020-10593: Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cau Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak), aka TROVE-2020-004. This occurs in circpad_setup_machine_on_circ because a circuit-padding machine can be negotiated twice on the same circuit.

CVE-2020-6427 [HIGH] CWE-787 CVE-2020-6427: Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potenti Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6422 [HIGH] CWE-787 CVE-2020-6422: Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potenti Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6428 [HIGH] CWE-787 CVE-2020-6428: Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potenti Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6426 [MEDIUM] CWE-787 CVE-2020-6426: Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-10804 [HIGH] CWE-89 CVE-2020-10804: In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retr In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with