rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-8077 | Cri | 9.8 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 17, 2025 | A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could u | |
| CVE-2025-54467 | Med | 5.3 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 17, 2025 | When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. | |
| CVE-2025-53884 | Med | 5.3 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 17, 2025 | NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed). | |
| CVE-2025-4953 | Hig | 7.4 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 16, 2025 | A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the c | |
| CVE-2025-8396 | Med | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed | |
| CVE-2025-59361 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||
| CVE-2025-59360 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||
| CVE-2025-59359 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||
| CVE-2025-59358 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | ||
| CVE-2025-9072 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled | ||
| CVE-2025-9084 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs | ||
| CVE-2025-9078 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks | ||
| CVE-2025-9076 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 15, 2025 | Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm | ||
| CVE-2025-54376 | Hig | 7.5 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 10, 2025 | Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream rea | |
| CVE-2025-54123 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 10, 2025 | Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vul | ||
| CVE-2025-58063 | Hig | 7.1 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 9, 2025 | CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do | |
| CVE-2025-58430 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 9, 2025 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows | ||
| CVE-2025-58450 | Cri | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 8, 2025 | pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0 | |
| CVE-2025-58445 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 6, 2025 | Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k | ||
| CVE-2025-58437 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 6, 2025 | Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a use |
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could u
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the c
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed
- CVE-2025-59361Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CVE-2025-59360Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CVE-2025-59359Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
- CVE-2025-59358Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.
- CVE-2025-9072Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled
- CVE-2025-9084Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
- CVE-2025-9078Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks
- CVE-2025-9076Sep 15, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream rea
- CVE-2025-54123Sep 10, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vul
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do
- CVE-2025-58430Sep 9, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0
- CVE-2025-58445Sep 6, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k
- CVE-2025-58437Sep 6, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a use
Page 4 of 14