VYPR

rpm package

opensuse/teleport&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/teleport&distro=openSUSE%20Tumbleweed

Vulnerabilities (24)

  • CVE-2026-34165MedMar 31, 2026
    affected < 17.7.23-1.1fixed 17.7.23-1.1

    go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re

  • CVE-2025-15558Mar 4, 2026
    affected < 17.7.23-1.1fixed 17.7.23-1.1

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-24051HigFeb 2, 2026
    affected < 17.7.23-1.1fixed 17.7.23-1.1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2026-21895Jan 8, 2026
    affected < 17.7.14-1.1fixed 17.7.14-1.1

    The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

  • CVE-2025-64702Dec 11, 2025
    affected < 17.7.13-1.1fixed 17.7.13-1.1

    quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (man

  • CVE-2025-59530HigOct 10, 2025
    affected < 17.7.10-1.1fixed 17.7.10-1.1

    quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir

  • CVE-2025-49825CriJun 17, 2025
    affected < 17.5.3-1.1fixed 17.5.3-1.1

    Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch.

  • CVE-2025-22870MedMar 12, 2025
    affected < 17.3.3-1.1fixed 17.3.3-1.1

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-22868Feb 26, 2025
    affected < 17.2.9-1.1fixed 17.2.9-1.1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 17.2.9-1.1fixed 17.2.9-1.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 17.2.9-1.1fixed 17.2.9-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2024-45338MedDec 18, 2024
    affected < 17.1.0-1.1fixed 17.1.0-1.1

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 17.0.5-1.1fixed 17.0.5-1.1

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-53259MedDec 2, 2024
    affected < 17.0.3-1.1fixed 17.0.3-1.1

    quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a

  • CVE-2024-6104Jun 24, 2024
    affected < 15.4.7-1.1fixed 15.4.7-1.1

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2024-35255Jun 11, 2024
    affected < 15.4.3-1.1fixed 15.4.3-1.1

    Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

  • CVE-2024-32650HigApr 19, 2024
    affected < 15.2.4-1.1fixed 15.2.4-1.1

    Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete

  • CVE-2024-29902Apr 10, 2024
    affected < 15.2.4-1.1fixed 15.2.4-1.1

    Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory a

  • CVE-2023-45288HigApr 4, 2024
    affected < 15.2.4-1.1fixed 15.2.4-1.1

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma

  • CVE-2024-27303Mar 6, 2024
    affected < 15.1.6-1.1fixed 15.1.6-1.1

    electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec

Page 1 of 2