rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-53859 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Nov 27, 2024 | go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` source | ||
| CVE-2024-53264 | Med | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 27, 2024 | bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the "next" parameter. The loading endpoint accepts and u | |
| CVE-2024-43784 | Med | 5.7 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 26, 2024 | lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that us | |
| CVE-2024-8676 | Hig | 7.4 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 26, 2024 | A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the valid | |
| CVE-2024-52529 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 25, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the fi | ||
| CVE-2024-6538 | Med | 5.3 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 25, 2024 | A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can often reach exposed services that aren't read | |
| CVE-2024-10220 | Hig | 8.1 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 22, 2024 | The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2. | |
| CVE-2024-45719 | — | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Nov 22, 2024 | Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade | ||
| CVE-2024-52309 | Med | — | < 0.0.20241121T195252-1.1 | 0.0.20241121T195252-1.1 | Nov 21, 2024 | SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature i | |
| CVE-2024-28892 | — | < 0.0.20250108T191942-1.1 | 0.0.20250108T191942-1.1 | Nov 21, 2024 | An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | ||
| CVE-2024-9526 | — | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 18, 2024 | There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a s | ||
| CVE-2024-0793 | Hig | 7.7 | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 17, 2024 | A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn. | |
| CVE-2024-24426 | Hig | 7.5 | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 15, 2024 | Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. | |
| CVE-2024-24425 | Med | 6.5 | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 15, 2024 | Magma v1.8.0 and OAI EPC Federation v1.20 were discovered to contain an out-of-bounds read in the amf_as_establish_req function at /tasks/amf/amf_as.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet. | |
| CVE-2024-52522 | Med | — | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 15, 2024 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions o | |
| CVE-2023-0109 | — | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 15, 2024 | A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script | ||
| CVE-2024-44625 | — | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 15, 2024 | Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. | ||
| CVE-2024-52308 | — | < 0.0.20241119T173509-1.1 | 0.0.20241119T173509-1.1 | Nov 14, 2024 | The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an S | ||
| CVE-2022-31668 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Nov 14, 2024 | Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies | ||
| CVE-2022-45157 | Cri | 9.1 | < 0.0.20241030T212825-1.1 | 0.0.20241030T212825-1.1 | Nov 13, 2024 | A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being st |
- CVE-2024-53859Nov 27, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` source
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the "next" parameter. The loading endpoint accepts and u
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that us
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the valid
- CVE-2024-52529Nov 25, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the fi
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can often reach exposed services that aren't read
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
- CVE-2024-45719Nov 22, 2024affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade
- affected < 0.0.20241121T195252-1.1fixed 0.0.20241121T195252-1.1
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature i
- CVE-2024-28892Nov 21, 2024affected < 0.0.20250108T191942-1.1fixed 0.0.20250108T191942-1.1
An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
- CVE-2024-9526Nov 18, 2024affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a s
- affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.
- affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet.
- affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
Magma v1.8.0 and OAI EPC Federation v1.20 were discovered to contain an out-of-bounds read in the amf_as_establish_req function at /tasks/amf/amf_as.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.
- affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions o
- CVE-2023-0109Nov 15, 2024affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script
- CVE-2024-44625Nov 15, 2024affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
- CVE-2024-52308Nov 14, 2024affected < 0.0.20241119T173509-1.1fixed 0.0.20241119T173509-1.1
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an S
- CVE-2022-31668Nov 14, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies
- affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1
A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being st
Page 27 of 35