rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3228 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 20, 2025 | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run. | ||
| CVE-2025-3227 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 20, 2025 | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or re | ||
| CVE-2025-4981 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 20, 2025 | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with p | ||
| CVE-2025-6264 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 20, 2025 | Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like | ||
| CVE-2025-1088 | Low | 2.7 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 18, 2025 | In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | |
| CVE-2025-5981 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 18, 2025 | Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images. | ||
| CVE-2025-49825 | Cri | 9.8 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 17, 2025 | Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch. | |
| CVE-2025-5689 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 16, 2025 | A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session. | ||
| CVE-2024-44906 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 12, 2025 | uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15. | ||
| CVE-2024-44905 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 12, 2025 | go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerability via the component /types/append_value.go. | ||
| CVE-2025-0913 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 11, 2025 | os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent loca | ||
| CVE-2025-4673 | Med | 6.8 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 11, 2025 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. | |
| CVE-2025-22874 | Hig | 7.5 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 11, 2025 | Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. | |
| CVE-2025-4922 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jun 11, 2025 | Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14. | ||
| CVE-2025-4128 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 11, 2025 | Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}. | ||
| CVE-2025-4573 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 11, 2025 | Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter inje | ||
| CVE-2025-49140 | Hig | 7.5 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 9, 2025 | Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/intercep | |
| CVE-2025-49136 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 9, 2025 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a | ||
| CVE-2025-25208 | Med | 5.7 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 9, 2025 | A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster | |
| CVE-2025-25207 | Med | 5.7 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 9, 2025 | The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an a |
- CVE-2025-3228Jun 20, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
- CVE-2025-3227Jun 20, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or re
- CVE-2025-4981Jun 20, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with p
- CVE-2025-6264Jun 20, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
- CVE-2025-5981Jun 18, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch.
- CVE-2025-5689Jun 16, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.
- CVE-2024-44906Jun 12, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15.
- CVE-2024-44905Jun 12, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerability via the component /types/append_value.go.
- CVE-2025-0913Jun 11, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent loca
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
- CVE-2025-4922Jun 11, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
- CVE-2025-4128Jun 11, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.
- CVE-2025-4573Jun 11, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter inje
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/intercep
- CVE-2025-49136Jun 9, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an a
Page 12 of 35