rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54059 | Med | 4.4 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 18, 2025 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a | |
| CVE-2025-53945 | Hig | 7.0 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 18, 2025 | apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issu | |
| CVE-2025-6227 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 18, 2025 | Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API. | ||
| CVE-2025-6233 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 18, 2025 | Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal. | ||
| CVE-2025-6226 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 18, 2025 | Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the P | ||
| CVE-2025-6023 | Hig | 7.6 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 18, 2025 | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+sec | |
| CVE-2025-23267 | Hig | 8.5 | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Jul 17, 2025 | NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of servi | |
| CVE-2025-23266 | Cri | 9.0 | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Jul 17, 2025 | NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data ta | |
| CVE-2025-3415 | Med | 4.3 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 17, 2025 | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+ | |
| CVE-2025-53826 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 15, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. | ||
| CVE-2025-53893 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 15, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Fil | ||
| CVE-2025-53634 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 10, 2025 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. The HTTP Gateway processes headers, but with no timeout set. With a slow loris attack, an attacker could cause Denial of Service (DoS). Exploitation does not require authentication nor aut | ||
| CVE-2025-53633 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 10, 2025 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication | ||
| CVE-2025-53632 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 10, 2025 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the path of the file to write is not checked, potentially leading to zip slips. Exploitation does not require authentication nor authorizatio | ||
| CVE-2025-53547 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 8, 2025 | Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo | ||
| CVE-2025-0928 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 8, 2025 | In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned b | ||
| CVE-2025-53513 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 8, 2025 | The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running | ||
| CVE-2025-53512 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 8, 2025 | The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. | ||
| CVE-2025-6224 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 1, 2025 | Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key | ||
| CVE-2025-52997 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 30, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers co |
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issu
- CVE-2025-6227Jul 18, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
- CVE-2025-6233Jul 18, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
- CVE-2025-6226Jul 18, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the P
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+sec
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of servi
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data ta
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+
- CVE-2025-53826Jul 15, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out.
- CVE-2025-53893Jul 15, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Fil
- CVE-2025-53634Jul 10, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. The HTTP Gateway processes headers, but with no timeout set. With a slow loris attack, an attacker could cause Denial of Service (DoS). Exploitation does not require authentication nor aut
- CVE-2025-53633Jul 10, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication
- CVE-2025-53632Jul 10, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the path of the file to write is not checked, potentially leading to zip slips. Exploitation does not require authentication nor authorizatio
- CVE-2025-53547Jul 8, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo
- CVE-2025-0928Jul 8, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned b
- CVE-2025-53513Jul 8, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running
- CVE-2025-53512Jul 8, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
- CVE-2025-6224Jul 1, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key
- CVE-2025-52997Jun 30, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers co
Page 10 of 35