rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-52594 | Med | 4.3 | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 16, 2025 | Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unab | |
| CVE-2024-52602 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users | ||
| CVE-2024-52791 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large am | ||
| CVE-2024-56515 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different | ||
| CVE-2025-20621 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 16, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post | ||
| CVE-2025-20088 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 15, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | ||
| CVE-2025-20086 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 15, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | ||
| CVE-2025-21088 | — | < 0.0.20250117T214834-1.1 | 0.0.20250117T214834-1.1 | Jan 15, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. | ||
| CVE-2024-53263 | Hig | — | < 0.0.20250115T172141-1.1 | 0.0.20250115T172141-1.1 | Jan 14, 2025 | Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credential | |
| CVE-2024-56138 | Med | 4.0 | < 0.0.20250115T172141-1.1 | 0.0.20250115T172141-1.1 | Jan 13, 2025 | notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certif | |
| CVE-2024-51491 | — | < 0.0.20250115T172141-1.1 | 0.0.20250115T172141-1.1 | Jan 13, 2025 | notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CR | ||
| CVE-2024-56323 | — | < 0.0.20250115T172141-1.1 | 0.0.20250115T172141-1.1 | Jan 13, 2025 | OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [c | ||
| CVE-2025-22149 | Low | — | < 0.0.20250109T194159-1.1 | 0.0.20250109T194159-1.1 | Jan 9, 2025 | JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a secu | |
| CVE-2025-22445 | — | < 0.0.20250109T194159-1.1 | 0.0.20250109T194159-1.1 | Jan 9, 2025 | Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. | ||
| CVE-2025-20033 | — | < 0.0.20250109T194159-1.1 | 0.0.20250109T194159-1.1 | Jan 9, 2025 | Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific | ||
| CVE-2025-22449 | — | < 0.0.20250109T194159-1.1 | 0.0.20250109T194159-1.1 | Jan 9, 2025 | Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. | ||
| CVE-2025-22130 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Jan 8, 2025 | Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an adm | ||
| CVE-2025-21614 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons | ||
| CVE-2025-21613 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag | ||
| CVE-2024-56514 | Med | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Jan 3, 2025 | Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve |
- affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unab
- CVE-2024-52602Jan 16, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users
- CVE-2024-52791Jan 16, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large am
- CVE-2024-56515Jan 16, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different
- CVE-2025-20621Jan 16, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post
- CVE-2025-20088Jan 15, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
- CVE-2025-20086Jan 15, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
- CVE-2025-21088Jan 15, 2025affected < 0.0.20250117T214834-1.1fixed 0.0.20250117T214834-1.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.
- affected < 0.0.20250115T172141-1.1fixed 0.0.20250115T172141-1.1
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credential
- affected < 0.0.20250115T172141-1.1fixed 0.0.20250115T172141-1.1
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certif
- CVE-2024-51491Jan 13, 2025affected < 0.0.20250115T172141-1.1fixed 0.0.20250115T172141-1.1
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CR
- CVE-2024-56323Jan 13, 2025affected < 0.0.20250115T172141-1.1fixed 0.0.20250115T172141-1.1
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [c
- affected < 0.0.20250109T194159-1.1fixed 0.0.20250109T194159-1.1
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a secu
- CVE-2025-22445Jan 9, 2025affected < 0.0.20250109T194159-1.1fixed 0.0.20250109T194159-1.1
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
- CVE-2025-20033Jan 9, 2025affected < 0.0.20250109T194159-1.1fixed 0.0.20250109T194159-1.1
Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific
- CVE-2025-22449Jan 9, 2025affected < 0.0.20250109T194159-1.1fixed 0.0.20250109T194159-1.1
Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
- CVE-2025-22130Jan 8, 2025affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an adm
- CVE-2025-21614Jan 6, 2025affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons
- CVE-2025-21613Jan 6, 2025affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag
- affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve
Page 24 of 35