VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2024-25132MedMar 19, 2025
    affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1

    A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernat

  • CVE-2025-30153HigMar 19, 2025
    affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1

    kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system

  • CVE-2025-1472Mar 19, 2025
    affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1

    Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

  • CVE-2025-29781MedMar 17, 2025
    affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1

    The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and

  • CVE-2024-40635Mar 17, 2025
    affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1

    containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult

  • CVE-2025-0495MedMar 17, 2025
    affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1

    Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured i

  • CVE-2025-2241HigMar 17, 2025
    affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1

    A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision ob

  • CVE-2025-29786HigMar 17, 2025
    affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1

    Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression

  • CVE-2025-30077MedMar 16, 2025
    affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1

    Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.

  • CVE-2025-1767MedMar 13, 2025
    affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1

    This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using t

  • CVE-2024-9042MedMar 13, 2025
    affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1

    This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.

  • CVE-2025-22870MedMar 12, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-26260Mar 12, 2025
    affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1

    Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.

  • CVE-2025-27403HigMar 11, 2025
    affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1

    Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate

  • CVE-2025-27616HigMar 10, 2025
    affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1

    Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its rep

  • CVE-2024-52812MedMar 10, 2025
    affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1

    LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to

  • CVE-2025-1296Mar 10, 2025
    affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1

    Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8

  • CVE-2025-27509CriMar 6, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is ena

  • CVE-2025-25294Mar 6, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection atta

  • CVE-2025-27155MedMar 4, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 is vulnerable to stored cross-site scripting. The payload storage is not permanent an

Page 20 of 35