rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-22449 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 9, 2025 | Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. | ||
| CVE-2025-22130 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Jan 8, 2025 | Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an adm | ||
| CVE-2025-21614 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons | ||
| CVE-2025-21613 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag | ||
| CVE-2024-56514 | Med | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Jan 3, 2025 | Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve | |
| CVE-2024-56513 | Hig | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Jan 3, 2025 | Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access contr | |
| CVE-2025-21609 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Jan 3, 2025 | SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this v | ||
| CVE-2024-25133 | Hig | 8.8 | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 31, 2024 | A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod. | |
| CVE-2024-56362 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 23, 2024 | Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrie | ||
| CVE-2024-45387 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 23, 2024 | An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Us | ||
| CVE-2024-55947 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | ||
| CVE-2024-54148 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | ||
| CVE-2024-12678 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 20, 2024 | Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4 | ||
| CVE-2024-55196 | Hig | 7.5 | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 19, 2024 | Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. | |
| CVE-2024-25131 | Hig | 8.8 | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 19, 2024 | A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can all | |
| CVE-2024-45338 | Med | 5.3 | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-9779 | Hig | 7.5 | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Dec 17, 2024 | A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole als | |
| CVE-2024-45337 | Cri | 9.1 | < 0.0.20250226T025151-150000.1.35.1 | 0.0.20250226T025151-150000.1.35.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-28892 | — | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Nov 21, 2024 | An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | ||
| CVE-2022-45157 | Cri | 9.1 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Nov 13, 2024 | A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being st |
- CVE-2025-22449Jan 9, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
- CVE-2025-22130Jan 8, 2025affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an adm
- CVE-2025-21614Jan 6, 2025affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons
- CVE-2025-21613Jan 6, 2025affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access contr
- CVE-2025-21609Jan 3, 2025affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this v
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.
- CVE-2024-56362Dec 23, 2024affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrie
- CVE-2024-45387Dec 23, 2024affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Us
- CVE-2024-55947Dec 23, 2024affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-54148Dec 23, 2024affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-12678Dec 20, 2024affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can all
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole als
- affected < 0.0.20250226T025151-150000.1.35.1fixed 0.0.20250226T025151-150000.1.35.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- CVE-2024-28892Nov 21, 2024affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being st
Page 10 of 14