rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-27571 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 16, 2025 | Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a cha | ||
| CVE-2025-27538 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 16, 2025 | Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if | ||
| CVE-2025-24839 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 16, 2025 | Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrang | ||
| CVE-2025-30215 | Cri | 9.6 | < 0.0.20250422T152923-1.1 | 0.0.20250422T152923-1.1 | Apr 16, 2025 | NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is | |
| CVE-2025-32445 | Cri | 9.9 | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 15, 2025 | Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventS | |
| CVE-2025-30206 | Cri | 9.8 | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 15, 2025 | Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw | |
| CVE-2025-24358 | Med | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 15, 2025 | gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl | |
| CVE-2025-2475 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 14, 2025 | Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials. | ||
| CVE-2025-2424 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 14, 2025 | Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. | ||
| CVE-2025-32093 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 14, 2025 | Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modificat | ||
| CVE-2025-3445 | Hig | 8.1 | < 0.0.20250807T150727-1.1 | 0.0.20250807T150727-1.1 | Apr 13, 2025 | A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library. When using t | |
| CVE-2024-52280 | Hig | 7.7 | < 0.0.20241121T195252-1.1 | 0.0.20241121T195252-1.1 | Apr 11, 2025 | A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher which allows users to watch resources they are not allowed to access, when they have at least some generic permissions on the type. This issue affects rancher: before 2175e09, before 6e30 | |
| CVE-2025-23391 | Cri | 9.1 | < 0.0.20250402T160203-1.1 | 0.0.20250402T160203-1.1 | Apr 11, 2025 | A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4. | |
| CVE-2025-23389 | Hig | 8.4 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Apr 11, 2025 | A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3. | |
| CVE-2025-23388 | Hig | 8.2 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Apr 11, 2025 | A Stack-based Buffer Overflow vulnerability in SUSE rancher allows for denial of service.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3. | |
| CVE-2025-23387 | Med | 5.3 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Apr 11, 2025 | A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from | |
| CVE-2024-52282 | Med | 6.2 | < 0.0.20241121T195252-1.1 | 0.0.20241121T195252-1.1 | Apr 11, 2025 | A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET access to the Rancher Manager Apps Catalog to read any sensitive information that are contained within the Apps’ values. Additionally, the same information le | |
| CVE-2025-1386 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 11, 2025 | When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream. | ||
| CVE-2025-24866 | — | < 0.0.20250422T181640-1.1 | 0.0.20250422T181640-1.1 | Apr 10, 2025 | Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs. | ||
| CVE-2025-32386 | — | < 0.0.20250410T162706-1.1 | 0.0.20250410T162706-1.1 | Apr 9, 2025 | Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to |
- CVE-2025-27571Apr 16, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a cha
- CVE-2025-27538Apr 16, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if
- CVE-2025-24839Apr 16, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrang
- affected < 0.0.20250422T152923-1.1fixed 0.0.20250422T152923-1.1
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is
- affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventS
- affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw
- affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl
- CVE-2025-2475Apr 14, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
- CVE-2025-2424Apr 14, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
- CVE-2025-32093Apr 14, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modificat
- affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library. When using t
- affected < 0.0.20241121T195252-1.1fixed 0.0.20241121T195252-1.1
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher which allows users to watch resources they are not allowed to access, when they have at least some generic permissions on the type. This issue affects rancher: before 2175e09, before 6e30
- affected < 0.0.20250402T160203-1.1fixed 0.0.20250402T160203-1.1
A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4.
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
A Stack-based Buffer Overflow vulnerability in SUSE rancher allows for denial of service.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from
- affected < 0.0.20241121T195252-1.1fixed 0.0.20241121T195252-1.1
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowing any users with GET access to the Rancher Manager Apps Catalog to read any sensitive information that are contained within the Apps’ values. Additionally, the same information le
- CVE-2025-1386Apr 11, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.
- CVE-2025-24866Apr 10, 2025affected < 0.0.20250422T181640-1.1fixed 0.0.20250422T181640-1.1
Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.
- CVE-2025-32386Apr 9, 2025affected < 0.0.20250410T162706-1.1fixed 0.0.20250410T162706-1.1
Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to
Page 17 of 35