rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25068 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. | ||
| CVE-2025-24920 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels | ||
| CVE-2025-30179 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries. | ||
| CVE-2025-25274 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. | ||
| CVE-2025-27933 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public | ||
| CVE-2025-27715 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them. | ||
| CVE-2024-53351 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges. | ||
| CVE-2024-53348 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 21, 2025 | LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges. | ||
| CVE-2025-29923 | Low | 3.7 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 20, 2025 | go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i | |
| CVE-2025-29922 | Cri | 9.6 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 20, 2025 | kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existi | |
| CVE-2025-29914 | Med | 5.4 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 20, 2025 | OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUE | |
| CVE-2024-7598 | Low | 3.1 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 20, 2025 | A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for | |
| CVE-2024-12886 | Hig | 7.5 | < 0.0.20250331T171002-1.1 | 0.0.20250331T171002-1.1 | Mar 20, 2025 | An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the `makeRequestWit | |
| CVE-2024-8063 | — | < 0.0.20250515T200012-1.1 | 0.0.20250515T200012-1.1 | Mar 20, 2025 | A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it | ||
| CVE-2025-0312 | — | < 0.0.20250402T160203-1.1 | 0.0.20250402T160203-1.1 | Mar 20, 2025 | A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS) attac | ||
| CVE-2025-0317 | — | < 0.0.20250331T171002-1.1 | 0.0.20250331T171002-1.1 | Mar 20, 2025 | A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash and resulting in a Denial of Servi | ||
| CVE-2025-0315 | — | < 0.0.20250331T171002-1.1 | 0.0.20250331T171002-1.1 | Mar 20, 2025 | A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack. | ||
| CVE-2024-9900 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 20, 2025 | mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution o | ||
| CVE-2024-12055 | — | < 0.0.20250331T171002-1.1 | 0.0.20250331T171002-1.1 | Mar 20, 2025 | A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of | ||
| CVE-2024-7631 | Med | 4.3 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 19, 2025 | A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath co |
- CVE-2025-25068Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
- CVE-2025-24920Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
- CVE-2025-30179Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
- CVE-2025-25274Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
- CVE-2025-27933Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
- CVE-2025-27715Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
- CVE-2024-53351Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.
- CVE-2024-53348Mar 21, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges.
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existi
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUE
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for
- affected < 0.0.20250331T171002-1.1fixed 0.0.20250331T171002-1.1
An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the `makeRequestWit
- CVE-2024-8063Mar 20, 2025affected < 0.0.20250515T200012-1.1fixed 0.0.20250515T200012-1.1
A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it
- CVE-2025-0312Mar 20, 2025affected < 0.0.20250402T160203-1.1fixed 0.0.20250402T160203-1.1
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS) attac
- CVE-2025-0317Mar 20, 2025affected < 0.0.20250331T171002-1.1fixed 0.0.20250331T171002-1.1
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash and resulting in a Denial of Servi
- CVE-2025-0315Mar 20, 2025affected < 0.0.20250331T171002-1.1fixed 0.0.20250331T171002-1.1
A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack.
- CVE-2024-9900Mar 20, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution o
- CVE-2024-12055Mar 20, 2025affected < 0.0.20250331T171002-1.1fixed 0.0.20250331T171002-1.1
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath co
Page 19 of 35