VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-3931HigMay 14, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorizat

  • CVE-2024-52290May 14, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`con

  • CVE-2025-4658May 13, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions pr

  • CVE-2025-3757May 13, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.

  • CVE-2025-46721May 13, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue req

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2025-46816CriMay 6, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyo

  • CVE-2025-46735LowMay 6, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authen

  • CVE-2025-46815May 6, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefi

  • CVE-2025-43915May 5, 2025
    affected < 0.0.20250520T172319-1.1fixed 0.0.20250520T172319-1.1

    In Linkerd edge releases before edge-25.2.1, and Buoyant Enterprise for Linkerd releases 2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1, resource exhaustion can occur for Linkerd proxy metrics.

  • CVE-2025-4210HigMay 2, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated

  • CVE-2025-3879May 2, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7,

  • CVE-2025-4166May 2, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified a

  • CVE-2025-46569HigMay 1, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query

  • CVE-2025-32777HigApr 30, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a

  • CVE-2025-46331Apr 30, 2025
    affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c

  • CVE-2025-46342Apr 30, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to

  • CVE-2025-46327Apr 28, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided

  • CVE-2023-32198higApr 25, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    ### Impact A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack aga

  • CVE-2025-23390medApr 25, 2025
    affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1

    ### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (M

Page 15 of 35