VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2024-13484HigJan 28, 2025
    affected < 0.0.20250130T185858-1.1fixed 0.0.20250130T185858-1.1

    A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitori

  • CVE-2025-0750MedJan 28, 2025
    affected < 0.0.20250130T185858-1.1fixed 0.0.20250130T185858-1.1

    A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmountin

  • CVE-2025-22865HigJan 28, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

  • CVE-2024-45341MedJan 28, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

  • CVE-2024-45340HigJan 28, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

  • CVE-2024-45339HigJan 28, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and

  • CVE-2024-45336MedJan 28, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re

  • CVE-2025-24369LowJan 27, 2025
    affected < 0.0.20250130T185858-1.1fixed 0.0.20250130T185858-1.1

    Anubis is a tool that allows administrators to protect bots against AI scrapers through bot-checking heuristics and a proof-of-work challenge to discourage scraping from multiple IP addresses. Anubis allows attackers to bypass the bot protection by requesting a challenge, formula

  • CVE-2025-24354MedJan 27, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2.

  • CVE-2025-24355HigJan 24, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    Updatecli is a tool used to apply file update strategies. Prior to version 0.93.0, private maven repository credentials may be leaked in application logs in case of unsuccessful retrieval operation. During the execution of an updatecli pipeline which contains a `maven` source con

  • CVE-2024-10846MedJan 23, 2025
    affected < 0.0.20250130T185858-1.1fixed 0.0.20250130T185858-1.1

    The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7

  • CVE-2025-24030Jan 23, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of En

  • CVE-2025-23047Jan 22, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default `Access-Control-Allow-Origin` header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 t

  • CVE-2025-23028Jan 22, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS

  • CVE-2024-11218HigJan 22, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and d

  • CVE-2025-0377Jan 21, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

  • CVE-2025-24337HigJan 20, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.

  • CVE-2025-23208Jan 17, 2025
    affected < 0.0.20250128T150132-1.1fixed 0.0.20250128T150132-1.1

    zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, t

  • CVE-2024-36402Jan 16, 2025
    affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1

    Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository.

  • CVE-2024-36403Jan 16, 2025
    affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1

    Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 is vulnerable to unbounded disk consumption, where an unauthenticated adversary can induce it to download and cache large amounts of remote media files. MMR's t

Page 23 of 35