VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-27571Apr 16, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a cha

  • CVE-2025-27538Apr 16, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if

  • CVE-2025-24839Apr 16, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrang

  • CVE-2025-30215CriApr 16, 2025
    affected < 0.0.20250422T152923-1.1fixed 0.0.20250422T152923-1.1

    NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is

  • CVE-2025-32445CriApr 15, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventS

  • CVE-2025-30206CriApr 15, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw

  • CVE-2025-24358MedApr 15, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl

  • CVE-2025-2475Apr 14, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.

  • CVE-2025-2424Apr 14, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.

  • CVE-2025-32093Apr 14, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modificat

  • CVE-2025-3445HigApr 13, 2025
    affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1

    A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library. When using t

  • CVE-2024-52280HigApr 11, 2025
    affected < 0.0.20241121T195252-1.1fixed 0.0.20241121T195252-1.1

    A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher which allows users to watch resources they are not allowed to access, when they have at least some generic permissions on the type. This issue affects rancher: before 2175e09, before 6e30

  • CVE-2025-23391CriApr 11, 2025
    affected < 0.0.20250402T160203-1.1fixed 0.0.20250402T160203-1.1

    A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4.

  • CVE-2025-23389HigApr 11, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.

  • CVE-2025-23388HigApr 11, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    A Stack-based Buffer Overflow vulnerability in SUSE rancher allows for denial of service.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.

  • CVE-2025-23387MedApr 11, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from

  • CVE-2024-52282MedApr 11, 2025
    affected < 0.0.20241121T195252-1.1fixed 0.0.20241121T195252-1.1

    A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET access to the Rancher Manager Apps Catalog to read any sensitive information that are contained within the Apps’ values. Additionally, the same information le

  • CVE-2025-1386Apr 11, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

  • CVE-2025-24866Apr 10, 2025
    affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1

    Mattermost versions 9.11.x <= 9.11.8  fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.

  • CVE-2025-32386Apr 9, 2025
    affected < 0.0.20250410T162706-1.1fixed 0.0.20250410T162706-1.1

    Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to

Page 17 of 35