VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-27507Mar 4, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensiti

  • CVE-2025-27421HigMar 3, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly

  • CVE-2025-27414MedFeb 28, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO

  • CVE-2025-22952Feb 27, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

  • CVE-2025-22868Feb 26, 2025
    affected < 0.0.20250226T025151-1.1fixed 0.0.20250226T025151-1.1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 0.0.20250226T025151-1.1fixed 0.0.20250226T025151-1.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2025-27112Feb 24, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exi

  • CVE-2025-20051Feb 24, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.

  • CVE-2025-25279Feb 24, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import arch

  • CVE-2025-1412Feb 24, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

  • CVE-2025-24526Feb 24, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they

  • CVE-2025-27100MedFeb 21, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50.

  • CVE-2025-27088Feb 20, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing a

  • CVE-2025-1293Feb 20, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

  • CVE-2025-27090Feb 19, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without

  • CVE-2025-25196Feb 19, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are exe

  • CVE-2025-24806LowFeb 19, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login even

  • CVE-2025-25204MedFeb 14, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    `gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This beh

  • CVE-2025-0426MedFeb 13, 2025
    affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1

    A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

Page 21 of 35