rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3931 | Hig | 7.8 | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 14, 2025 | A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorizat | |
| CVE-2024-52290 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 14, 2025 | LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`con | ||
| CVE-2025-4658 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 13, 2025 | Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions pr | ||
| CVE-2025-3757 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 13, 2025 | Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. | ||
| CVE-2025-46721 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 13, 2025 | nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue req | ||
| CVE-2025-4432 | Med | 5.3 | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 9, 2025 | A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets | |
| CVE-2025-46816 | Cri | 9.4 | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 6, 2025 | goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyo | |
| CVE-2025-46735 | Low | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 6, 2025 | Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authen | |
| CVE-2025-46815 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | May 6, 2025 | The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefi | ||
| CVE-2025-43915 | — | < 0.0.20250520T172319-1.1 | 0.0.20250520T172319-1.1 | May 5, 2025 | In Linkerd edge releases before edge-25.2.1, and Buoyant Enterprise for Linkerd releases 2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1, resource exhaustion can occur for Linkerd proxy metrics. | ||
| CVE-2025-4210 | Hig | 7.3 | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | May 2, 2025 | A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated | |
| CVE-2025-3879 | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | May 2, 2025 | Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, | ||
| CVE-2025-4166 | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | May 2, 2025 | Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified a | ||
| CVE-2025-46569 | Hig | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | May 1, 2025 | Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query | |
| CVE-2025-32777 | Hig | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 30, 2025 | Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a | |
| CVE-2025-46331 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | Apr 30, 2025 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c | ||
| CVE-2025-46342 | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 30, 2025 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to | ||
| CVE-2025-46327 | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 28, 2025 | gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided | ||
| CVE-2023-32198 | hig | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 25, 2025 | ### Impact A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack aga | |
| CVE-2025-23390 | med | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 25, 2025 | ### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (M |
- affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorizat
- CVE-2024-52290May 14, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`con
- CVE-2025-4658May 13, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions pr
- CVE-2025-3757May 13, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.
- CVE-2025-46721May 13, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue req
- affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets
- affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyo
- affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authen
- CVE-2025-46815May 6, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefi
- CVE-2025-43915May 5, 2025affected < 0.0.20250520T172319-1.1fixed 0.0.20250520T172319-1.1
In Linkerd edge releases before edge-25.2.1, and Buoyant Enterprise for Linkerd releases 2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1, resource exhaustion can occur for Linkerd proxy metrics.
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated
- CVE-2025-3879May 2, 2025affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7,
- CVE-2025-4166May 2, 2025affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified a
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a
- CVE-2025-46331Apr 30, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c
- CVE-2025-46342Apr 30, 2025affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due to
- CVE-2025-46327Apr 28, 2025affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
### Impact A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack aga
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (M
Page 15 of 35