VYPR

rpm package

suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP5

pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Vulnerabilities (63)

  • CVE-2024-50052Oct 29, 2024
    affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1

    Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

  • CVE-2024-10241Oct 29, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.

  • CVE-2024-47827Oct 28, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow.

  • CVE-2024-10214Oct 28, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.

  • CVE-2024-49757Oct 25, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option

  • CVE-2024-49753Oct 25, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1).

  • CVE-2024-49381Oct 25, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fi

  • CVE-2024-49380Oct 25, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0

  • CVE-2024-50312Oct 22, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilita

  • CVE-2024-8901HigOct 22, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but

  • CVE-2024-47825Oct 21, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more n

  • CVE-2024-9264Oct 18, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user wit

  • CVE-2024-22030HigOct 16, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this

  • CVE-2024-9594Oct 15, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabl

  • CVE-2024-9486Oct 15, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resultin

  • CVE-2024-48909Oct 14, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permi

  • CVE-2024-38365Oct 11, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the oth

  • CVE-2024-47877Oct 11, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then

  • CVE-2024-9180Oct 10, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.

  • CVE-2024-9312Oct 10, 2024
    affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1

    Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.