VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-59354Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding h

  • CVE-2025-59353Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC ser

  • CVE-2025-59352Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allow

  • CVE-2025-59351Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability i

  • CVE-2025-59350Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one ch

  • CVE-2025-59349Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given di

  • CVE-2025-59348Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instea

  • CVE-2025-59347Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes doze

  • CVE-2025-59346Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise n

  • CVE-2025-59345Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs

  • CVE-2025-59342MedSep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value

  • CVE-2025-59341HigSep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host

  • CVE-2025-8077CriSep 17, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could u

  • CVE-2025-54467MedSep 17, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.

  • CVE-2025-53884MedSep 17, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

  • CVE-2025-4953HigSep 16, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the c

  • CVE-2025-8396MedSep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed

  • CVE-2025-59361Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

  • CVE-2025-59360Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

  • CVE-2025-59359Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

Page 5 of 35