rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59358 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 15, 2025 | The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | ||
| CVE-2025-9072 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 15, 2025 | Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled | ||
| CVE-2025-9084 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 15, 2025 | Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs | ||
| CVE-2025-9078 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 15, 2025 | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks | ||
| CVE-2025-9076 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 15, 2025 | Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm | ||
| CVE-2025-54376 | Hig | 7.5 | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 10, 2025 | Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream rea | |
| CVE-2025-54123 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 10, 2025 | Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vul | ||
| CVE-2025-58063 | Hig | 7.1 | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 9, 2025 | CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do | |
| CVE-2025-58430 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 9, 2025 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows | ||
| CVE-2025-58450 | Cri | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 8, 2025 | pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0 | |
| CVE-2025-58445 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 6, 2025 | Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k | ||
| CVE-2025-58437 | — | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 6, 2025 | Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a use | ||
| CVE-2025-9566 | Hig | 8.1 | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 5, 2025 | There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only | |
| CVE-2025-7445 | Med | 6.5 | < 0.0.20250917T170349-1.1 | 0.0.20250917T170349-1.1 | Sep 5, 2025 | Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs. | |
| CVE-2025-55190 | — | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 4, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials ( | ||
| CVE-2025-58355 | Hig | 7.7 | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 4, 2025 | Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0. | |
| CVE-2025-56761 | — | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 3, 2025 | Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges | ||
| CVE-2025-56760 | — | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 3, 2025 | When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server. | ||
| CVE-2024-58259 | Hig | 8.2 | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 2, 2025 | A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are f | |
| CVE-2024-52284 | Hig | 7.7 | < 0.0.20250908T141310-1.1 | 0.0.20250908T141310-1.1 | Sep 2, 2025 | Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets. |
- CVE-2025-59358Sep 15, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
- CVE-2025-9072Sep 15, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled
- CVE-2025-9084Sep 15, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
- CVE-2025-9078Sep 15, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks
- CVE-2025-9076Sep 15, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm
- affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream rea
- CVE-2025-54123Sep 10, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vul
- affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do
- CVE-2025-58430Sep 9, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows
- affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0
- CVE-2025-58445Sep 6, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k
- CVE-2025-58437Sep 6, 2025affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a use
- affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only
- affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1
Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs.
- CVE-2025-55190Sep 4, 2025affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (
- affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.
- CVE-2025-56761Sep 3, 2025affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges
- CVE-2025-56760Sep 3, 2025affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
- affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are f
- affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1
Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.
Page 6 of 35