rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-10975 | — | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 7, 2024 | Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Editi | ||
| CVE-2024-45794 | — | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 7, 2024 | devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has | ||
| CVE-2024-51746 | Low | — | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 5, 2024 | Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply | |
| CVE-2024-51735 | Hig | — | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 5, 2024 | Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports | |
| CVE-2024-51744 | Low | 3.1 | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 4, 2024 | golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r | |
| CVE-2024-10389 | — | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 4, 2024 | There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems (e.g., NTFS). This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216 | ||
| CVE-2024-48057 | — | < 0.0.20241112T145010-150000.1.17.1 | 0.0.20241112T145010-150000.1.17.1 | Nov 4, 2024 | localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage. | ||
| CVE-2024-50354 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 31, 2024 | gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m | ||
| CVE-2024-8185 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 31, 2024 | Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint | ||
| CVE-2024-39720 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 31, 2024 | An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-cont | ||
| CVE-2024-10086 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | ||
| CVE-2024-10006 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | ||
| CVE-2024-10005 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | ||
| CVE-2024-10452 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 29, 2024 | Organization admins can delete pending invites created in an organization they are not part of. | ||
| CVE-2024-48921 | — | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 29, 2024 | Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not rec | ||
| CVE-2024-46872 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks | ||
| CVE-2024-47401 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the applicat | ||
| CVE-2024-50052 | — | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | ||
| CVE-2024-10241 | — | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 29, 2024 | Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | ||
| CVE-2024-47827 | — | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 28, 2024 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. |
- CVE-2024-10975Nov 7, 2024affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Editi
- CVE-2024-45794Nov 7, 2024affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has
- affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply
- affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports
- affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
- CVE-2024-10389Nov 4, 2024affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems (e.g., NTFS). This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216
- CVE-2024-48057Nov 4, 2024affected < 0.0.20241112T145010-150000.1.17.1fixed 0.0.20241112T145010-150000.1.17.1
localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
- CVE-2024-50354Oct 31, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m
- CVE-2024-8185Oct 31, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint
- CVE-2024-39720Oct 31, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-cont
- CVE-2024-10086Oct 30, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
- CVE-2024-10006Oct 30, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
- CVE-2024-10005Oct 30, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
- CVE-2024-10452Oct 29, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
Organization admins can delete pending invites created in an organization they are not part of.
- CVE-2024-48921Oct 29, 2024affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not rec
- CVE-2024-46872Oct 29, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
- CVE-2024-47401Oct 29, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the applicat
- CVE-2024-50052Oct 29, 2024affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
- CVE-2024-10241Oct 29, 2024affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
- CVE-2024-47827Oct 28, 2024affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow.
Page 11 of 14