rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-9313 | Hig | 8.8 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 3, 2024 | Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. | |
| CVE-2024-47616 | Med | 6.8 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 2, 2024 | Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by | |
| CVE-2024-8038 | Hig | 7.9 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 2, 2024 | Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks. | |
| CVE-2024-8037 | Med | 6.5 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 2, 2024 | Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are norm | |
| CVE-2024-7558 | Hig | 8.7 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 2, 2024 | JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unpr | |
| CVE-2024-33662 | Hig | 7.5 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 2, 2024 | Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function. | |
| CVE-2024-9407 | Med | 4.7 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 1, 2024 | A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi | |
| CVE-2024-9355 | Med | 6.5 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 1, 2024 | A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co | |
| CVE-2024-9341 | Med | 5.4 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 1, 2024 | A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting se | |
| CVE-2024-47534 | Hig | — | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Oct 1, 2024 | go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but | |
| CVE-2024-47067 | Med | 6.1 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Sep 30, 2024 | AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml respon | |
| CVE-2024-47182 | Med | 4.8 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Sep 27, 2024 | Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3. | |
| CVE-2024-7594 | Hig | 7.5 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Sep 26, 2024 | Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engin | |
| CVE-2024-47003 | Low | 3.1 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Sep 26, 2024 | Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend. | |
| CVE-2024-0133 | Med | 4.1 | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Sep 26, 2024 | NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerab | |
| CVE-2024-0132 | Cri | 9.0 | < 0.0.20241104T154416-150000.1.12.1 | 0.0.20241104T154416-150000.1.12.1 | Sep 26, 2024 | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A su | |
| CVE-2024-8996 | Hig | 7.3 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Sep 25, 2024 | Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 | |
| CVE-2024-8975 | Hig | 7.3 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Sep 25, 2024 | Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. | |
| CVE-2024-43803 | Med | 4.9 | < 0.0.20250108T191942-150000.1.26.1 | 0.0.20250108T191942-150000.1.26.1 | Sep 3, 2024 | The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both | |
| CVE-2024-39223 | Cri | 9.8 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Jul 3, 2024 | An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey |
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them.
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are norm
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unpr
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensi
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting se
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:link_name takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml respon
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3.
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engin
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.
- affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerab
- affected < 0.0.20241104T154416-150000.1.12.1fixed 0.0.20241104T154416-150000.1.12.1
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A su
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.
- affected < 0.0.20250108T191942-150000.1.26.1fixed 0.0.20250108T191942-150000.1.26.1
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey
Page 13 of 14