rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-56513 | Hig | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Jan 3, 2025 | Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access contr | |
| CVE-2025-21609 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Jan 3, 2025 | SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this v | ||
| CVE-2024-25133 | Hig | 8.8 | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Dec 31, 2024 | A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod. | |
| CVE-2024-56362 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Dec 23, 2024 | Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrie | ||
| CVE-2024-45387 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Dec 23, 2024 | An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Us | ||
| CVE-2024-55947 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | ||
| CVE-2024-54148 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | ||
| CVE-2024-12678 | — | < 0.0.20241220T214820-1.1 | 0.0.20241220T214820-1.1 | Dec 20, 2024 | Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4 | ||
| CVE-2024-55196 | Hig | 7.5 | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Dec 19, 2024 | Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. | |
| CVE-2024-25131 | Hig | 8.8 | < 0.0.20241220T214820-1.1 | 0.0.20241220T214820-1.1 | Dec 19, 2024 | A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can all | |
| CVE-2024-45338 | Med | 5.3 | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-9779 | Hig | 7.5 | < 0.0.20241220T214820-1.1 | 0.0.20241220T214820-1.1 | Dec 17, 2024 | A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole als | |
| CVE-2024-55949 | Cri | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 16, 2024 | MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in com | |
| CVE-2024-54682 | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 16, 2024 | Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. | ||
| CVE-2024-54083 | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 16, 2024 | Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. | ||
| CVE-2024-48872 | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 16, 2024 | Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attem | ||
| CVE-2024-12289 | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 12, 2024 | Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization | ||
| CVE-2024-55885 | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Dec 12, 2024 | beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with | ||
| CVE-2024-12401 | Med | 4.4 | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 12, 2024 | A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector | |
| CVE-2024-45337 | Cri | 9.1 | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that |
- affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access contr
- CVE-2025-21609Jan 3, 2025affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this v
- affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.
- CVE-2024-56362Dec 23, 2024affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrie
- CVE-2024-45387Dec 23, 2024affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Us
- CVE-2024-55947Dec 23, 2024affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-54148Dec 23, 2024affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-12678Dec 20, 2024affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4
- affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.
- affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1
A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can all
- affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1
A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole als
- affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in com
- CVE-2024-54682Dec 16, 2024affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.
- CVE-2024-54083Dec 16, 2024affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.
- CVE-2024-48872Dec 16, 2024affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attem
- CVE-2024-12289Dec 12, 2024affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization
- CVE-2024-55885Dec 12, 2024affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with
- affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector
- affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
Page 25 of 35