rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-55660 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 11, 2024 | SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access en | ||
| CVE-2024-55659 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 11, 2024 | SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue. | ||
| CVE-2024-55658 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 11, 2024 | SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host s | ||
| CVE-2024-55657 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 11, 2024 | SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system | ||
| CVE-2024-55601 | Med | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 9, 2024 | Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content f | |
| CVE-2024-46455 | Cri | 9.8 | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 9, 2024 | unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. | |
| CVE-2024-6219 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 5, 2024 | Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. | ||
| CVE-2024-6156 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 5, 2024 | Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. | ||
| CVE-2024-54132 | Med | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 4, 2024 | The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerab | |
| CVE-2024-54131 | Hig | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 3, 2024 | The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide's service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3 | |
| CVE-2024-50948 | Hig | 7.5 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 3, 2024 | mochiMQTT v2.6.3 is vulnerable to Denial of Service (DoS) due to improper resource management. An attacker can exhaust system memory and crash the broker by establishing and maintaining a large number of malicious, long-term publish/subscribe sessions. | |
| CVE-2024-53257 | Med | 4.9 | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Dec 3, 2024 | Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages | |
| CVE-2024-53259 | Med | 6.5 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 2, 2024 | quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a | |
| CVE-2024-53862 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Dec 2, 2024 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` | ||
| CVE-2024-52801 | Med | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 29, 2024 | sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since th | |
| CVE-2024-52003 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 29, 2024 | Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to | ||
| CVE-2024-36623 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 29, 2024 | moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes. | ||
| CVE-2024-36621 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 29, 2024 | moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion. | ||
| CVE-2024-36620 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 29, 2024 | moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go. | ||
| CVE-2024-53858 | Med | 6.5 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 27, 2024 | The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from se |
- CVE-2024-55660Dec 11, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access en
- CVE-2024-55659Dec 11, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.
- CVE-2024-55658Dec 11, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host s
- CVE-2024-55657Dec 11, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system
- affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content f
- affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
- CVE-2024-6219Dec 5, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.
- CVE-2024-6156Dec 5, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerab
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
The Kolide Agent (aka: Launcher) is the lightweight agent designed to work with Kolide's service. An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. The bug was introduced in version 1.5.3
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
mochiMQTT v2.6.3 is vulnerable to Denial of Service (DoS) due to improper resource management. An attacker can exhaust system memory and crash the broker by establishing and maintaining a large number of malicious, long-term publish/subscribe sessions.
- affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a
- CVE-2024-53862Dec 2, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since th
- CVE-2024-52003Nov 29, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to
- CVE-2024-36623Nov 29, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.
- CVE-2024-36621Nov 29, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
- CVE-2024-36620Nov 29, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from se
Page 26 of 35