VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-49221Aug 11, 2025
    affected < 0.0.20250818T190335-1.1fixed 0.0.20250818T190335-1.1

    Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.

  • CVE-2025-48731Aug 11, 2025
    affected < 0.0.20250818T190335-1.1fixed 0.0.20250818T190335-1.1

    Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.

  • CVE-2025-44004Aug 11, 2025
    affected < 0.0.20250818T190335-1.1fixed 0.0.20250818T190335-1.1

    Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.

  • CVE-2025-44001Aug 11, 2025
    affected < 0.0.20250818T190335-1.1fixed 0.0.20250818T190335-1.1

    Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint.

  • CVE-2025-55003Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (

  • CVE-2025-55001Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying

  • CVE-2025-55000Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caus

  • CVE-2025-54999Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-

  • CVE-2025-54998Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. Thi

  • CVE-2025-54997Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network

  • CVE-2025-54996Aug 9, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their s

  • CVE-2025-7195MedAug 7, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Develo

  • CVE-2025-47907Aug 7, 2025
    affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-54799LowAug 7, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which

  • CVE-2025-44779Aug 7, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.

  • CVE-2025-47908HigAug 6, 2025
    affected < 0.0.20250807T150727-1.1fixed 0.0.20250807T150727-1.1

    Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/s

  • CVE-2025-6013Aug 6, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.

  • CVE-2025-54801Aug 5, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds s

  • CVE-2025-53534HigAug 5, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take o

  • CVE-2025-8341MedAug 4, 2025
    affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1

    Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could

Page 8 of 35