VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-61141HigOct 30, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands.

  • CVE-2025-54471MedOct 30, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.

  • CVE-2025-54470HigOct 30, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verif

  • CVE-2025-54469CriOct 30, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor pr

  • CVE-2025-61725HigOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

  • CVE-2025-61724MedOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

  • CVE-2025-61723HigOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.

  • CVE-2025-58189MedOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

  • CVE-2025-58188HigOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.

  • CVE-2025-58187HigOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

  • CVE-2025-58186MedOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

  • CVE-2025-58185MedOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

  • CVE-2025-58183MedOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r

  • CVE-2025-47912MedOct 29, 2025
    affected < 0.0.20251029T215107-1.1fixed 0.0.20251029T215107-1.1

    The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse

  • CVE-2025-64103CriOct 29, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated ses

  • CVE-2025-64102CriOct 29, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or password

  • CVE-2025-64101HigOct 29, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the passw

  • CVE-2024-58269MedOct 29, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs.

  • CVE-2023-32199MedOct 29, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that have a * on * in * rule for

  • CVE-2025-11375MedOct 28, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.

Page 1 of 35