rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-22031 | hig | — | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 25, 2025 | ### Impact A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other proje | |
| CVE-2025-46599 | Med | 6.8 | < 0.0.20250506T153719-1.1 | 0.0.20250506T153719-1.1 | Apr 25, 2025 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this por | |
| CVE-2025-41423 | — | < 0.0.20250424T181457-1.1 | 0.0.20250424T181457-1.1 | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks | ||
| CVE-2025-35965 | — | < 0.0.20250424T181457-1.1 | 0.0.20250424T181457-1.1 | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions trigge | ||
| CVE-2025-41395 | — | < 0.0.20250424T181457-1.1 | 0.0.20250424T181457-1.1 | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cau | ||
| CVE-2025-32963 | Med | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 22, 2025 | MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may uninten | |
| CVE-2025-32793 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 21, 2025 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating | ||
| CVE-2025-32431 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 21, 2025 | Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the | ||
| CVE-2025-43973 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 21, 2025 | An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message. | ||
| CVE-2025-43972 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 21, 2025 | An issue was discovered in GoBGP before 3.35.0. An attacker can cause a crash in the pkg/packet/bgp/bgp.go flowspec parser by sending fewer than 20 bytes in a certain context. | ||
| CVE-2025-43971 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 21, 2025 | An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen. | ||
| CVE-2025-43970 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 21, 2025 | An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family). | ||
| CVE-2025-3801 | Low | 2.4 | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 19, 2025 | A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is | |
| CVE-2025-22872 | Med | 6.5 | < 0.0.20250416T165455-1.1 | 0.0.20250416T165455-1.1 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-2564 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 16, 2025 | Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this | ||
| CVE-2024-52281 | Hig | 8.9 | < 0.0.20250115T172141-1.1 | 0.0.20250115T172141-1.1 | Apr 16, 2025 | A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4. | |
| CVE-2024-22036 | Cri | 9.1 | < 0.0.20241030T212825-1.1 | 0.0.20241030T212825-1.1 | Apr 16, 2025 | A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land withi | |
| CVE-2023-32197 | Med | 6.6 | < 0.0.20241030T212825-1.1 | 0.0.20241030T212825-1.1 | Apr 16, 2025 | A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5. | |
| CVE-2025-27936 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 16, 2025 | Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via | ||
| CVE-2025-31363 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 16, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in t |
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
### Impact A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other proje
- affected < 0.0.20250506T153719-1.1fixed 0.0.20250506T153719-1.1
CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this por
- CVE-2025-41423Apr 24, 2025affected < 0.0.20250424T181457-1.1fixed 0.0.20250424T181457-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks
- CVE-2025-35965Apr 24, 2025affected < 0.0.20250424T181457-1.1fixed 0.0.20250424T181457-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions trigge
- CVE-2025-41395Apr 24, 2025affected < 0.0.20250424T181457-1.1fixed 0.0.20250424T181457-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cau
- affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may uninten
- CVE-2025-32793Apr 21, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating
- CVE-2025-32431Apr 21, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the
- CVE-2025-43973Apr 21, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.
- CVE-2025-43972Apr 21, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
An issue was discovered in GoBGP before 3.35.0. An attacker can cause a crash in the pkg/packet/bgp/bgp.go flowspec parser by sending fewer than 20 bytes in a certain context.
- CVE-2025-43971Apr 21, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.
- CVE-2025-43970Apr 21, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).
- affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is
- affected < 0.0.20250416T165455-1.1fixed 0.0.20250416T165455-1.1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- CVE-2025-2564Apr 16, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this
- affected < 0.0.20250115T172141-1.1fixed 0.0.20250115T172141-1.1
A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4.
- affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1
A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land withi
- affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1
A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5.
- CVE-2025-27936Apr 16, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via
- CVE-2025-31363Apr 16, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in t
Page 16 of 35