rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-25132 | Med | 4.3 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 19, 2025 | A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernat | |
| CVE-2025-30153 | Hig | 7.5 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 19, 2025 | kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system | |
| CVE-2025-1472 | — | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 19, 2025 | Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | ||
| CVE-2025-29781 | Med | 6.5 | < 0.0.20250318T181448-1.1 | 0.0.20250318T181448-1.1 | Mar 17, 2025 | The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and | |
| CVE-2024-40635 | — | < 0.0.20250318T181448-1.1 | 0.0.20250318T181448-1.1 | Mar 17, 2025 | containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult | ||
| CVE-2025-0495 | Med | — | < 0.0.20250318T181448-1.1 | 0.0.20250318T181448-1.1 | Mar 17, 2025 | Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured i | |
| CVE-2025-2241 | Hig | 8.2 | < 0.0.20250318T181448-1.1 | 0.0.20250318T181448-1.1 | Mar 17, 2025 | A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision ob | |
| CVE-2025-29786 | Hig | 7.5 | < 0.0.20250318T181448-1.1 | 0.0.20250318T181448-1.1 | Mar 17, 2025 | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression | |
| CVE-2025-30077 | Med | 6.2 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 16, 2025 | Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits. | |
| CVE-2025-1767 | Med | 6.5 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 13, 2025 | This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using t | |
| CVE-2024-9042 | Med | 5.9 | < 0.0.20250327T184518-1.1 | 0.0.20250327T184518-1.1 | Mar 13, 2025 | This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below. | |
| CVE-2025-22870 | Med | 4.4 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2025-26260 | — | < 0.0.20250313T170021-1.1 | 0.0.20250313T170021-1.1 | Mar 12, 2025 | Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution. | ||
| CVE-2025-27403 | Hig | — | < 0.0.20250313T170021-1.1 | 0.0.20250313T170021-1.1 | Mar 11, 2025 | Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate | |
| CVE-2025-27616 | Hig | 8.5 | < 0.0.20250313T170021-1.1 | 0.0.20250313T170021-1.1 | Mar 10, 2025 | Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its rep | |
| CVE-2024-52812 | Med | 5.4 | < 0.0.20250313T170021-1.1 | 0.0.20250313T170021-1.1 | Mar 10, 2025 | LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to | |
| CVE-2025-1296 | — | < 0.0.20250313T170021-1.1 | 0.0.20250313T170021-1.1 | Mar 10, 2025 | Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8 | ||
| CVE-2025-27509 | Cri | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Mar 6, 2025 | fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is ena | |
| CVE-2025-25294 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Mar 6, 2025 | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection atta | ||
| CVE-2025-27155 | Med | 6.1 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Mar 4, 2025 | Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 is vulnerable to stored cross-site scripting. The payload storage is not permanent an |
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernat
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
- CVE-2025-1472Mar 19, 2025affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
- affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and
- CVE-2024-40635Mar 17, 2025affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
- affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1
Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured i
- affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision ob
- affected < 0.0.20250318T181448-1.1fixed 0.0.20250318T181448-1.1
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using t
- affected < 0.0.20250327T184518-1.1fixed 0.0.20250327T184518-1.1
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- CVE-2025-26260Mar 12, 2025affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1
Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution.
- affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1
Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate
- affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its rep
- affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1
LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to
- CVE-2025-1296Mar 10, 2025affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is ena
- CVE-2025-25294Mar 6, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection atta
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 is vulnerable to stored cross-site scripting. The payload storage is not permanent an
Page 20 of 35