rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-27093 | Med | 6.3 | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 28, 2025 | Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, | |
| CVE-2025-11375 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 28, 2025 | Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20. | ||
| CVE-2025-62725 | Hig | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 27, 2025 | Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile w | |
| CVE-2025-58356 | Hig | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 27, 2025 | Constellation is the first Confidential Kubernetes. The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM is successful in opening t | |
| CVE-2025-62714 | Hig | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 24, 2025 | Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/ | |
| CVE-2025-12044 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 23, 2025 | Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex | ||
| CVE-2025-11621 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 23, 2025 | Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 | ||
| CVE-2025-59048 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 23, 2025 | OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by | ||
| CVE-2025-62820 | Med | 4.9 | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 23, 2025 | Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network. | |
| CVE-2025-62705 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 22, 2025 | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use | ||
| CVE-2025-62513 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 22, 2025 | OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, | ||
| CVE-2025-10678 | Cri | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 20, 2025 | NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default | |
| CVE-2025-26625 | Hig | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 17, 2025 | Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbol | |
| CVE-2025-59043 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 17, 2025 | OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized me | ||
| CVE-2025-62506 | Hig | 8.1 | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrict | |
| CVE-2025-58073 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati | ||
| CVE-2025-61581 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | ** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management interface of the Traffic Router component could specify malicious pat | ||
| CVE-2025-41410 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based te | ||
| CVE-2025-10545 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint | ||
| CVE-2025-58075 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati |
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly,
- CVE-2025-11375Oct 28, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile w
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Constellation is the first Confidential Kubernetes. The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM is successful in opening t
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/
- CVE-2025-12044Oct 23, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex
- CVE-2025-11621Oct 23, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0
- CVE-2025-59048Oct 23, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
- CVE-2025-62705Oct 22, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use
- CVE-2025-62513Oct 22, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI,
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbol
- CVE-2025-59043Oct 17, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized me
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrict
- CVE-2025-58073Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati
- CVE-2025-61581Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management interface of the Traffic Router component could specify malicious pat
- CVE-2025-41410Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based te
- CVE-2025-10545Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
- CVE-2025-58075Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati
Page 2 of 35