VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2024-9180Oct 10, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.

  • CVE-2024-9312Oct 10, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.

  • CVE-2024-47832Oct 9, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior be

  • CVE-2024-9675Oct 9, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo

  • CVE-2024-36814MedOct 8, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory.

  • CVE-2024-9313Oct 3, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them.

  • CVE-2024-47616MedOct 2, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by

  • CVE-2024-8038Oct 2, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.

  • CVE-2024-8037Oct 2, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are norm

  • CVE-2024-7558Oct 2, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unpr

  • CVE-2024-33662Oct 2, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.

  • CVE-2024-9407MedOct 1, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi

  • CVE-2024-9355MedOct 1, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co

  • CVE-2024-9341Oct 1, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting se

  • CVE-2024-47534HigOct 1, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but

  • CVE-2024-47067Sep 30, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml respon

  • CVE-2024-47182Sep 27, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3.

  • CVE-2024-7594Sep 26, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engin

  • CVE-2024-47003Sep 26, 2024
    affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1

    Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.

  • CVE-2024-0133Sep 26, 2024
    affected < 0.0.20241104T154416-1.1fixed 0.0.20241104T154416-1.1

    NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerab

Page 30 of 35