rpm package
opensuse/velociraptor&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
Vulnerabilities (85)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6545 | Cri | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jun 23, 2025 | Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2. | |
| CVE-2025-5889 | Low | 3.1 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jun 9, 2025 | A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l | |
| CVE-2025-22872 | Med | 6.5 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-24358 | Med | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Apr 15, 2025 | gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl | |
| CVE-2025-30204 | Hig | 7.5 | < 0.7.0.4.git163.87ee3570-1.1 | 0.7.0.4.git163.87ee3570-1.1 | Mar 21, 2025 | golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou | |
| CVE-2025-22870 | Med | 4.4 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2025-27152 | — | < 0.7.0.4.git163.87ee3570-1.1 | 0.7.0.4.git163.87ee3570-1.1 | Mar 7, 2025 | axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka | ||
| CVE-2025-22868 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-27144 | Med | — | < 0.7.0.4.git163.87ee3570-1.1 | 0.7.0.4.git163.87ee3570-1.1 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par | |
| CVE-2024-45339 | Hig | 7.1 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jan 28, 2025 | When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and | |
| CVE-2024-45338 | Med | 5.3 | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-55565 | Med | 4.3 | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Dec 9, 2024 | nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. | |
| CVE-2024-21538 | Hig | 7.5 | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Nov 8, 2024 | Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted | |
| CVE-2024-51744 | Low | 3.1 | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Nov 4, 2024 | golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r | |
| CVE-2024-48948 | — | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Oct 15, 2024 | The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomal | ||
| CVE-2024-47875 | — | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Oct 11, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. | ||
| CVE-2024-48949 | — | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Oct 10, 2024 | The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. | ||
| CVE-2024-47068 | — | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Sep 23, 2024 | Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can | ||
| CVE-2024-45812 | Med | 6.4 | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Sep 17, 2024 | Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in |
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl
- affected < 0.7.0.4.git163.87ee3570-1.1fixed 0.7.0.4.git163.87ee3570-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- CVE-2025-27152Mar 7, 2025affected < 0.7.0.4.git163.87ee3570-1.1fixed 0.7.0.4.git163.87ee3570-1.1
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka
- CVE-2025-22868Feb 26, 2025affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 0.7.0.4.git163.87ee3570-1.1fixed 0.7.0.4.git163.87ee3570-1.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
- affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
- affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
- affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
- CVE-2024-48948Oct 15, 2024affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomal
- CVE-2024-47875Oct 11, 2024affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
- CVE-2024-48949Oct 10, 2024affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
- CVE-2024-47068Sep 23, 2024affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can
- affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in
Page 3 of 5