VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-54059MedJul 18, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a

  • CVE-2025-53945HigJul 18, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issu

  • CVE-2025-6227Jul 18, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

  • CVE-2025-6233Jul 18, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

  • CVE-2025-6226Jul 18, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the P

  • CVE-2025-6023HigJul 18, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+sec

  • CVE-2025-23267HigJul 17, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of servi

  • CVE-2025-23266CriJul 17, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data ta

  • CVE-2025-3415MedJul 17, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+

  • CVE-2025-53826Jul 15, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out.

  • CVE-2025-53893Jul 15, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Fil

  • CVE-2025-53634Jul 10, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. The HTTP Gateway processes headers, but with no timeout set. With a slow loris attack, an attacker could cause Denial of Service (DoS). Exploitation does not require authentication nor aut

  • CVE-2025-53633Jul 10, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication

  • CVE-2025-53632Jul 10, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the path of the file to write is not checked, potentially leading to zip slips. Exploitation does not require authentication nor authorizatio

  • CVE-2025-53547Jul 8, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo

  • CVE-2025-0928Jul 8, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned b

  • CVE-2025-53513Jul 8, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running

  • CVE-2025-53512Jul 8, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.

  • CVE-2025-6224Jul 1, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key

  • CVE-2025-52997Jun 30, 2025
    affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers co

Page 10 of 35