VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-54499Oct 16, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth clie

  • CVE-2025-41443Oct 16, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

  • CVE-2025-62375MedOct 15, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is no

  • CVE-2025-62157Oct 14, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack

  • CVE-2025-62156Oct 14, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack

  • CVE-2025-61688Oct 13, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API.

  • CVE-2025-59836Oct 13, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/updat

  • CVE-2025-59530HigOct 10, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir

  • CVE-2025-11579Oct 10, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

  • CVE-2025-61926MedOct 9, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the

  • CVE-2025-61524HigOct 8, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mech

  • CVE-2025-61595HigOct 2, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wa

  • CVE-2024-58267HigOct 2, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens.

  • CVE-2024-58260HigOct 2, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.

  • CVE-2025-54293Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

  • CVE-2025-54468MedOct 2, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. ema

  • CVE-2025-54291Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

  • CVE-2025-54290Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

  • CVE-2025-54289Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

  • CVE-2025-54288Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed proce

Page 3 of 35