VYPR

rpm package

suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6

pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6

Vulnerabilities (274)

  • CVE-2025-8077CriSep 17, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could u

  • CVE-2025-54467MedSep 17, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.

  • CVE-2025-53884MedSep 17, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

  • CVE-2025-4953HigSep 16, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the c

  • CVE-2025-8396MedSep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed

  • CVE-2025-59361Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

  • CVE-2025-59360Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

  • CVE-2025-59359Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.

  • CVE-2025-59358Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.

  • CVE-2025-9072Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled

  • CVE-2025-9084Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

  • CVE-2025-9078Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks

  • CVE-2025-9076Sep 15, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm

  • CVE-2025-54376HigSep 10, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream rea

  • CVE-2025-54123Sep 10, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vul

  • CVE-2025-58063HigSep 9, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do

  • CVE-2025-58430Sep 9, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows

  • CVE-2025-58450CriSep 8, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0

  • CVE-2025-58445Sep 6, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k

  • CVE-2025-58437Sep 6, 2025
    affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1

    Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a use

Page 4 of 14