rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-0132 | — | < 0.0.20241104T154416-1.1 | 0.0.20241104T154416-1.1 | Sep 26, 2024 | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A su | ||
| CVE-2024-8996 | — | < 0.0.20241030T212825-1.1 | 0.0.20241030T212825-1.1 | Sep 25, 2024 | Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 | ||
| CVE-2024-8975 | — | < 0.0.20241030T212825-1.1 | 0.0.20241030T212825-1.1 | Sep 25, 2024 | Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. | ||
| CVE-2024-8986 | Cri | — | < 0.0.20241120T172248-1.1 | 0.0.20241120T172248-1.1 | Sep 19, 2024 | The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for | |
| CVE-2024-45039 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Sep 6, 2024 | gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for | ||
| CVE-2024-43803 | Med | 4.9 | < 0.0.20241220T214820-1.1 | 0.0.20241220T214820-1.1 | Sep 3, 2024 | The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both | |
| CVE-2024-45310 | — | < 0.0.20250807T150727-1.1 | 0.0.20250807T150727-1.1 | Sep 3, 2024 | runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between | ||
| CVE-2024-45436 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Aug 29, 2024 | extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory. | ||
| CVE-2024-5321 | Med | 6.1 | < 0.0.20250807T150727-1.1 | 0.0.20250807T150727-1.1 | Jul 18, 2024 | A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs. | |
| CVE-2024-39223 | Cri | 9.8 | < 0.0.20241030T212825-1.1 | 0.0.20241030T212825-1.1 | Jul 3, 2024 | An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey | |
| CVE-2024-37820 | Med | 5.4 | < 0.0.20241209T183251-1.1 | 0.0.20241209T183251-1.1 | Jun 25, 2024 | A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation. | |
| CVE-2024-37032 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | May 31, 2024 | Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring. | ||
| CVE-2024-3727 | Hig | 8.3 | < 0.0.20250130T185858-1.1 | 0.0.20250130T185858-1.1 | May 14, 2024 | A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. | |
| CVE-2024-28053 | — | < 0.0.20241218T202206-1.1 | 0.0.20241218T202206-1.1 | Mar 15, 2024 | Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server. | ||
| CVE-2024-1725 | — | < 0.0.20250313T170021-1.1 | 0.0.20250313T170021-1.1 | Mar 7, 2024 | A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker n | ||
| CVE-2023-26154 | — | < 0.0.20250818T190335-1.1 | 0.0.20250818T190335-1.1 | Dec 6, 2023 | Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub | ||
| CVE-2023-5528 | — | < 0.0.20250807T150727-1.1 | 0.0.20250807T150727-1.1 | Nov 14, 2023 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | ||
| CVE-2023-3955 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Oct 31, 2023 | A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. | ||
| CVE-2023-3676 | — | < 0.0.20241213T205935-1.1 | 0.0.20241213T205935-1.1 | Oct 31, 2023 | A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. | ||
| CVE-2021-25736 | — | < 0.0.20250807T150727-1.1 | 0.0.20250807T150727-1.1 | Oct 30, 2023 | Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalance |
- CVE-2024-0132Sep 26, 2024affected < 0.0.20241104T154416-1.1fixed 0.0.20241104T154416-1.1
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A su
- CVE-2024-8996Sep 25, 2024affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1
Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2
- CVE-2024-8975Sep 25, 2024affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1
Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.
- affected < 0.0.20241120T172248-1.1fixed 0.0.20241120T172248-1.1
The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for
- CVE-2024-45039Sep 6, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for
- affected < 0.0.20241220T214820-1.1fixed 0.0.20241220T214820-1.1
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both
- CVE-2024-45310Sep 3, 2024affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1
runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between
- CVE-2024-45436Aug 29, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.
- affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1
A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs.
- affected < 0.0.20241030T212825-1.1fixed 0.0.20241030T212825-1.1
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey
- affected < 0.0.20241209T183251-1.1fixed 0.0.20241209T183251-1.1
A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation.
- CVE-2024-37032May 31, 2024affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
- affected < 0.0.20250130T185858-1.1fixed 0.0.20250130T185858-1.1
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
- CVE-2024-28053Mar 15, 2024affected < 0.0.20241218T202206-1.1fixed 0.0.20241218T202206-1.1
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
- CVE-2024-1725Mar 7, 2024affected < 0.0.20250313T170021-1.1fixed 0.0.20250313T170021-1.1
A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker n
- CVE-2023-26154Dec 6, 2023affected < 0.0.20250818T190335-1.1fixed 0.0.20250818T190335-1.1
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub
- CVE-2023-5528Nov 14, 2023affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
- CVE-2023-3955Oct 31, 2023affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
- CVE-2023-3676Oct 31, 2023affected < 0.0.20241213T205935-1.1fixed 0.0.20241213T205935-1.1
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
- CVE-2021-25736Oct 30, 2023affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalance
Page 31 of 35