rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25199 | Hig | 7.5 | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 12, 2025 | go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1 | |
| CVE-2025-1243 | Low | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 12, 2025 | The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` fie | |
| CVE-2024-57604 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 12, 2025 | An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component. | ||
| CVE-2024-57603 | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 12, 2025 | An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting. | ||
| CVE-2025-24976 | Med | — | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 11, 2025 | Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted | |
| CVE-2025-24016 | — | KEV | < 0.0.20250312T181707-1.1 | 0.0.20250312T181707-1.1 | Feb 10, 2025 | Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialize | |
| CVE-2025-24366 | Hig | 7.5 | < 0.0.20250207T224745-1.1 | 0.0.20250207T224745-1.1 | Feb 7, 2025 | SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it | |
| CVE-2025-24786 | — | < 0.0.20250207T224745-1.1 | 0.0.20250207T224745-1.1 | Feb 6, 2025 | WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine | ||
| CVE-2025-24787 | — | < 0.0.20250207T224745-1.1 | 0.0.20250207T224745-1.1 | Feb 6, 2025 | WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string conca | ||
| CVE-2025-22867 | Hig | 7.5 | < 0.0.20250207T224745-1.1 | 0.0.20250207T224745-1.1 | Feb 6, 2025 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2. | |
| CVE-2025-22866 | Med | 4.0 | < 0.0.20250207T224745-1.1 | 0.0.20250207T224745-1.1 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2025-24371 | Hig | — | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Feb 3, 2025 | CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower gr | |
| CVE-2024-35177 | — | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Feb 3, 2025 | Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. The wazuh-agent for Windows is vulnerable to a Local Privilege Escalat | ||
| CVE-2024-47770 | — | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Feb 3, 2025 | Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, t | ||
| CVE-2024-11741 | Med | 4.3 | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Jan 31, 2025 | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 | |
| CVE-2025-24883 | Hig | — | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Jan 30, 2025 | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13. | |
| CVE-2025-24784 | Med | 4.3 | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Jan 30, 2025 | kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Henc | |
| CVE-2025-24376 | Med | 6.5 | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Jan 30, 2025 | kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided b | |
| CVE-2025-23216 | — | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Jan 30, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th | ||
| CVE-2025-24884 | Med | — | < 0.0.20250204T220613-1.1 | 0.0.20250204T220613-1.1 | Jan 29, 2025 | kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is |
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` fie
- CVE-2024-57604Feb 12, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component.
- CVE-2024-57603Feb 12, 2025affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting.
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted
- affected < 0.0.20250312T181707-1.1fixed 0.0.20250312T181707-1.1
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialize
- affected < 0.0.20250207T224745-1.1fixed 0.0.20250207T224745-1.1
SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it
- CVE-2025-24786Feb 6, 2025affected < 0.0.20250207T224745-1.1fixed 0.0.20250207T224745-1.1
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine
- CVE-2025-24787Feb 6, 2025affected < 0.0.20250207T224745-1.1fixed 0.0.20250207T224745-1.1
WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string conca
- affected < 0.0.20250207T224745-1.1fixed 0.0.20250207T224745-1.1
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
- affected < 0.0.20250207T224745-1.1fixed 0.0.20250207T224745-1.1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower gr
- CVE-2024-35177Feb 3, 2025affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. The wazuh-agent for Windows is vulnerable to a Local Privilege Escalat
- CVE-2024-47770Feb 3, 2025affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, t
- affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15
- affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.
- affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Henc
- affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided b
- CVE-2025-23216Jan 30, 2025affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th
- affected < 0.0.20250204T220613-1.1fixed 0.0.20250204T220613-1.1
kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is
Page 22 of 35