VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2024-56513HigJan 3, 2025
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access contr

  • CVE-2025-21609Jan 3, 2025
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this v

  • CVE-2024-25133HigDec 31, 2024
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.

  • CVE-2024-56362Dec 23, 2024
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrie

  • CVE-2024-45387Dec 23, 2024
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Us

  • CVE-2024-55947Dec 23, 2024
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

  • CVE-2024-54148Dec 23, 2024
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

  • CVE-2024-12678Dec 20, 2024
    affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1

    Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4

  • CVE-2024-55196HigDec 19, 2024
    affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1

    Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.

  • CVE-2024-25131HigDec 19, 2024
    affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1

    A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can all

  • CVE-2024-45338MedDec 18, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-9779HigDec 17, 2024
    affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1

    A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole als

  • CVE-2024-55949CriDec 16, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in com

  • CVE-2024-54682Dec 16, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

  • CVE-2024-54083Dec 16, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

  • CVE-2024-48872Dec 16, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attem

  • CVE-2024-12289Dec 12, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization

  • CVE-2024-55885Dec 12, 2024
    affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1

    beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with

  • CVE-2024-12401MedDec 12, 2024
    affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1

    A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector

  • CVE-2024-45337CriDec 12, 2024
    affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

Page 25 of 35