rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59823 | Cri | 9.9 | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 25, 2025 | Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1 | |
| CVE-2025-59824 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 24, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au | ||
| CVE-2025-47910 | Med | 5.4 | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 22, 2025 | When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended sec | |
| CVE-2025-9081 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 19, 2025 | Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration | ||
| CVE-2025-9079 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 19, 2025 | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | ||
| CVE-2025-10630 | Med | 4.3 | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 19, 2025 | Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulner | |
| CVE-2025-47906 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 18, 2025 | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | ||
| CVE-2025-59410 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle at | ||
| CVE-2025-59354 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding h | ||
| CVE-2025-59353 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC ser | ||
| CVE-2025-59352 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allow | ||
| CVE-2025-59351 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability i | ||
| CVE-2025-59350 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one ch | ||
| CVE-2025-59349 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given di | ||
| CVE-2025-59348 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instea | ||
| CVE-2025-59347 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes doze | ||
| CVE-2025-59346 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise n | ||
| CVE-2025-59345 | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs | ||
| CVE-2025-59342 | Med | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value | |
| CVE-2025-59341 | Hig | — | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Sep 17, 2025 | esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host |
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1
- CVE-2025-59824Sep 24, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended sec
- CVE-2025-9081Sep 19, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
- CVE-2025-9079Sep 19, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulner
- CVE-2025-47906Sep 18, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- CVE-2025-59410Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle at
- CVE-2025-59354Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding h
- CVE-2025-59353Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC ser
- CVE-2025-59352Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allow
- CVE-2025-59351Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability i
- CVE-2025-59350Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one ch
- CVE-2025-59349Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given di
- CVE-2025-59348Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instea
- CVE-2025-59347Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes doze
- CVE-2025-59346Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise n
- CVE-2025-59345Sep 17, 2025affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host
Page 3 of 14