rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54386 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file path | ||
| CVE-2025-54424 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | 1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during cer | ||
| CVE-2025-6015 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||
| CVE-2025-6011 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and | ||
| CVE-2025-6004 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||
| CVE-2025-6037 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an att | ||
| CVE-2025-6014 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||
| CVE-2025-6000 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.1 | ||
| CVE-2025-5999 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Aug 1, 2025 | A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22. | ||
| CVE-2025-54576 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Jul 30, 2025 | OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes co | ||
| CVE-2025-54410 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Jul 30, 2025 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail | ||
| CVE-2025-54388 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Jul 30, 2025 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables | ||
| CVE-2025-4674 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 29, 2025 | The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V | ||
| CVE-2025-50738 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Jul 29, 2025 | The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo | ||
| CVE-2025-30086 | Med | 4.9 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 25, 2025 | CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any col | |
| CVE-2025-54379 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 24, 2025 | LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauth | ||
| CVE-2025-32019 | Med | 4.1 | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 23, 2025 | Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS cod | |
| CVE-2025-47281 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 23, 2025 | Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno polici | ||
| CVE-2025-53942 | — | < 0.0.20250811T192933-1.1 | 0.0.20250811T192933-1.1 | Jul 23, 2025 | authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked | ||
| CVE-2025-51471 | — | < 0.0.20250730T213748-1.1 | 0.0.20250730T213748-1.1 | Jul 22, 2025 | Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. |
- CVE-2025-54386Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file path
- CVE-2025-54424Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during cer
- CVE-2025-6015Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6011Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and
- CVE-2025-6004Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6037Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an att
- CVE-2025-6014Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6000Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.1
- CVE-2025-5999Aug 1, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
- CVE-2025-54576Jul 30, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes co
- CVE-2025-54410Jul 30, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail
- CVE-2025-54388Jul 30, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables
- CVE-2025-4674Jul 29, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V
- CVE-2025-50738Jul 29, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any col
- CVE-2025-54379Jul 24, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauth
- affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS cod
- CVE-2025-47281Jul 23, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno polici
- CVE-2025-53942Jul 23, 2025affected < 0.0.20250811T192933-1.1fixed 0.0.20250811T192933-1.1
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked
- CVE-2025-51471Jul 22, 2025affected < 0.0.20250730T213748-1.1fixed 0.0.20250730T213748-1.1
Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.
Page 9 of 35