rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-27507 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Mar 4, 2025 | The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensiti | ||
| CVE-2025-27421 | Hig | 7.5 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Mar 3, 2025 | Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly | |
| CVE-2025-27414 | Med | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 28, 2025 | MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO | |
| CVE-2025-22952 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 27, 2025 | elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks. | ||
| CVE-2025-22868 | — | < 0.0.20250226T025151-1.1 | 0.0.20250226T025151-1.1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 0.0.20250226T025151-1.1 | 0.0.20250226T025151-1.1 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-27144 | Med | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par | |
| CVE-2025-27112 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 24, 2025 | Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exi | ||
| CVE-2025-20051 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 24, 2025 | Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards. | ||
| CVE-2025-25279 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 24, 2025 | Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import arch | ||
| CVE-2025-1412 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 24, 2025 | Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | ||
| CVE-2025-24526 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 24, 2025 | Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they | ||
| CVE-2025-27100 | Med | 6.5 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 21, 2025 | lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50. | |
| CVE-2025-27088 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 20, 2025 | oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing a | ||
| CVE-2025-1293 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 20, 2025 | Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0. | ||
| CVE-2025-27090 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 19, 2025 | Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without | ||
| CVE-2025-25196 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 19, 2025 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are exe | ||
| CVE-2025-24806 | Low | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 19, 2025 | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login even | |
| CVE-2025-25204 | Med | 6.3 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 14, 2025 | `gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This beh | |
| CVE-2025-0426 | Med | 6.2 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 13, 2025 | A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. |
- CVE-2025-27507Mar 4, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensiti
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO
- CVE-2025-22952Feb 27, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
- CVE-2025-22868Feb 26, 2025affected < 0.0.20250226T025151-1.1fixed 0.0.20250226T025151-1.1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 0.0.20250226T025151-1.1fixed 0.0.20250226T025151-1.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
- CVE-2025-27112Feb 24, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exi
- CVE-2025-20051Feb 24, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
- CVE-2025-25279Feb 24, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import arch
- CVE-2025-1412Feb 24, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
- CVE-2025-24526Feb 24, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50.
- CVE-2025-27088Feb 20, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing a
- CVE-2025-1293Feb 20, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.
- CVE-2025-27090Feb 19, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without
- CVE-2025-25196Feb 19, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are exe
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login even
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This beh
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
Page 21 of 35