rpm package

suse/golang-github-prometheus-promu&distro=SUSE Manager Client Tools 12

pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012

Vulnerabilities (13)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-1365		—	< 0.17.0-1.30.2	0.17.0-1.30.2	Feb 16, 2025	A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this
CVE-2024-45337	Cri	9.1	< 0.17.0-1.24.1	0.17.0-1.24.1	Dec 12, 2024	Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-22037	Med	5.5	< 0.17.0-1.24.1	0.17.0-1.24.1	Nov 28, 2024	The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.
CVE-2024-51744	Low	3.1	< 0.17.0-1.24.1	0.17.0-1.24.1	Nov 4, 2024	golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
CVE-2024-8118	Med	—	< 0.17.0-1.24.1	0.17.0-1.24.1	Sep 26, 2024	In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
CVE-2024-1313	Med	6.5	< 0.14.0-1.18.1	0.14.0-1.18.1	Mar 26, 2024	It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per
CVE-2023-6152		—	< 0.14.0-1.18.1	0.14.0-1.18.1	Feb 13, 2024	A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
CVE-2023-3978		—	< 0.16.0-1.21.3	0.16.0-1.21.3	Aug 2, 2023	Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2023-3128		—	< 0.17.0-1.24.1	0.17.0-1.24.1	Jun 22, 2023	Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
CVE-2022-46146		—	< 0.14.0-1.12.1	0.14.0-1.12.1	Nov 29, 2022	Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.
CVE-2022-41715		—	< 0.14.0-1.12.1	0.14.0-1.12.1	Oct 14, 2022	Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
CVE-2022-27664		—	< 0.14.0-1.12.1	0.14.0-1.12.1	Sep 6, 2022	In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-27191		—	< 0.14.0-1.12.1	0.14.0-1.12.1	Mar 18, 2022	The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

CVE-2025-1365Feb 16, 2025
affected < 0.17.0-1.30.2fixed 0.17.0-1.30.2
A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this
CVE-2024-45337CriDec 12, 2024
affected < 0.17.0-1.24.1fixed 0.17.0-1.24.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-22037MedNov 28, 2024
affected < 0.17.0-1.24.1fixed 0.17.0-1.24.1
The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.
CVE-2024-51744LowNov 4, 2024
affected < 0.17.0-1.24.1fixed 0.17.0-1.24.1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
CVE-2024-8118MedSep 26, 2024
affected < 0.17.0-1.24.1fixed 0.17.0-1.24.1
In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules.
CVE-2024-1313MedMar 26, 2024
affected < 0.14.0-1.18.1fixed 0.14.0-1.18.1
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the per
CVE-2023-6152Feb 13, 2024
affected < 0.14.0-1.18.1fixed 0.14.0-1.18.1
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
CVE-2023-3978Aug 2, 2023
affected < 0.16.0-1.21.3fixed 0.16.0-1.21.3
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2023-3128Jun 22, 2023
affected < 0.17.0-1.24.1fixed 0.17.0-1.24.1
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
CVE-2022-46146Nov 29, 2022
affected < 0.14.0-1.12.1fixed 0.14.0-1.12.1
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.
CVE-2022-41715Oct 14, 2022
affected < 0.14.0-1.12.1fixed 0.14.0-1.12.1
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
CVE-2022-27664Sep 6, 2022
affected < 0.14.0-1.12.1fixed 0.14.0-1.12.1
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-27191Mar 18, 2022
affected < 0.14.0-1.12.1fixed 0.14.0-1.12.1
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.