rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52996 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 30, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected shari | ||
| CVE-2025-52995 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 30, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they | ||
| CVE-2025-52901 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 30, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier wil | ||
| CVE-2025-47871 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 30, 2025 | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to acces | ||
| CVE-2025-46702 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 30, 2025 | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to | ||
| CVE-2025-52904 | Hig | 8.0 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 26, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within | |
| CVE-2025-52903 | Hig | 8.0 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 26, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell comm | |
| CVE-2025-52477 | Hig | 8.6 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 26, 2025 | Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which cou | |
| CVE-2025-52902 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 26, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript cod | ||
| CVE-2025-52900 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 26, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same | ||
| CVE-2025-6624 | Hig | 7.2 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 26, 2025 | Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in | |
| CVE-2025-52890 | Hig | 8.1 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 25, 2025 | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filteri | |
| CVE-2025-52889 | Low | 3.4 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 25, 2025 | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_fil | |
| CVE-2025-52894 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 25, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effec | ||
| CVE-2025-52893 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 25, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / | ||
| CVE-2025-4656 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 25, 2025 | Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19. | ||
| CVE-2025-6032 | Hig | 8.3 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 24, 2025 | A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | |
| CVE-2025-47943 | Med | 6.3 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable an | |
| CVE-2024-56731 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on | ||
| CVE-2025-4563 | Low | 2.7 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 23, 2025 | A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status upda |
- CVE-2025-52996Jun 30, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected shari
- CVE-2025-52995Jun 30, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they
- CVE-2025-52901Jun 30, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier wil
- CVE-2025-47871Jun 30, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to acces
- CVE-2025-46702Jun 30, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell comm
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which cou
- CVE-2025-52902Jun 26, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript cod
- CVE-2025-52900Jun 26, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filteri
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_fil
- CVE-2025-52894Jun 25, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effec
- CVE-2025-52893Jun 25, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 /
- CVE-2025-4656Jun 25, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable an
- CVE-2024-56731Jun 24, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status upda
Page 11 of 35