rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54499 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth clie | ||
| CVE-2025-41443 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 16, 2025 | Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint | ||
| CVE-2025-62375 | Med | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 15, 2025 | go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is no | |
| CVE-2025-62157 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 14, 2025 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack | ||
| CVE-2025-62156 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 14, 2025 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack | ||
| CVE-2025-61688 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 13, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API. | ||
| CVE-2025-59836 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 13, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/updat | ||
| CVE-2025-59530 | Hig | 7.5 | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 10, 2025 | quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir | |
| CVE-2025-11579 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 10, 2025 | github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash. | ||
| CVE-2025-61926 | Med | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 9, 2025 | Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the | |
| CVE-2025-61524 | Hig | 7.2 | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 8, 2025 | An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mech | |
| CVE-2025-61595 | Hig | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 2, 2025 | MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wa | |
| CVE-2024-58267 | Hig | 8.0 | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 2, 2025 | A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens. | |
| CVE-2024-58260 | Hig | 7.6 | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 2, 2025 | A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. | |
| CVE-2025-54293 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links. | ||
| CVE-2025-54468 | Med | 4.7 | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 2, 2025 | A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. ema | |
| CVE-2025-54291 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses. | ||
| CVE-2025-54290 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints. | ||
| CVE-2025-54289 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format | ||
| CVE-2025-54288 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed proce |
- CVE-2025-54499Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth clie
- CVE-2025-41443Oct 16, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is no
- CVE-2025-62157Oct 14, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attack
- CVE-2025-62156Oct 14, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack
- CVE-2025-61688Oct 13, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API.
- CVE-2025-59836Oct 13, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/updat
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir
- CVE-2025-11579Oct 10, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the
- affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mech
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wa
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens.
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.
- CVE-2025-54293Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. ema
- CVE-2025-54291Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
- CVE-2025-54290Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
- CVE-2025-54289Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
- CVE-2025-54288Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed proce
Page 3 of 35