rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-49011 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 6, 2025 | SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated | ||
| CVE-2025-47950 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 6, 2025 | CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any lim | ||
| CVE-2025-48710 | Med | 4.1 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 4, 2025 | kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled im | |
| CVE-2025-3454 | Med | 5.0 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 2, 2025 | This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. Th | |
| CVE-2025-29785 | Hig | 7.5 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 2, 2025 | quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packet | |
| CVE-2025-48495 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 2, 2025 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior | ||
| CVE-2025-48494 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 2, 2025 | Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every t | ||
| CVE-2025-3260 | Hig | 8.3 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | Jun 2, 2025 | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless | |
| CVE-2025-48949 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL | ||
| CVE-2025-48948 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, includi | ||
| CVE-2025-48938 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by r | ||
| CVE-2025-3611 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API | ||
| CVE-2025-3230 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via contin | ||
| CVE-2025-2571 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow. | ||
| CVE-2025-1792 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members AP | ||
| CVE-2025-48865 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwa | ||
| CVE-2025-47952 | — | < 0.0.20250529T205903-1.1 | 0.0.20250529T205903-1.1 | May 30, 2025 | Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b | ||
| CVE-2020-36846 | Cri | 9.8 | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 30, 2025 | A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression | |
| CVE-2025-47933 | — | < 0.0.20250529T205903-1.1 | 0.0.20250529T205903-1.1 | May 29, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke | ||
| CVE-2025-3913 | — | < 0.0.20250612T141001-1.1 | 0.0.20250612T141001-1.1 | May 29, 2025 | Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /a |
- CVE-2025-49011Jun 6, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated
- CVE-2025-47950Jun 6, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any lim
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled im
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. Th
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packet
- CVE-2025-48495Jun 2, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior
- CVE-2025-48494Jun 2, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every t
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless
- CVE-2025-48949May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL
- CVE-2025-48948May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, includi
- CVE-2025-48938May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by r
- CVE-2025-3611May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API
- CVE-2025-3230May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via contin
- CVE-2025-2571May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
- CVE-2025-1792May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members AP
- CVE-2025-48865May 30, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwa
- CVE-2025-47952May 30, 2025affected < 0.0.20250529T205903-1.1fixed 0.0.20250529T205903-1.1
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b
- affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression
- CVE-2025-47933May 29, 2025affected < 0.0.20250529T205903-1.1fixed 0.0.20250529T205903-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke
- CVE-2025-3913May 29, 2025affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /a
Page 13 of 35