rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-9566 | Hig | 8.1 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 5, 2025 | There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only | |
| CVE-2025-7445 | Med | 6.5 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 5, 2025 | Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs. | |
| CVE-2025-55190 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 4, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials ( | ||
| CVE-2025-58355 | Hig | 7.7 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 4, 2025 | Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0. | |
| CVE-2025-56761 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 3, 2025 | Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges | ||
| CVE-2025-56760 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 3, 2025 | When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server. | ||
| CVE-2024-58259 | Hig | 8.2 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 2, 2025 | A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are f | |
| CVE-2024-52284 | Hig | 7.7 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Sep 2, 2025 | Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets. | |
| CVE-2025-58157 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Aug 29, 2025 | gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge quickly enough for some of the inputs. Thi | ||
| CVE-2025-58158 | Hig | 8.8 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Aug 29, 2025 | Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git L | |
| CVE-2025-58058 | Med | 5.3 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Aug 28, 2025 | xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the | |
| CVE-2025-6203 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Aug 28, 2025 | A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server | ||
| CVE-2025-5187 | Med | 6.7 | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Aug 27, 2025 | A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is su | |
| CVE-2025-51667 | — | < 0.0.20250918T182144-150000.1.107.1 | 0.0.20250918T182144-150000.1.107.1 | Aug 27, 2025 | An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations. | ||
| CVE-2025-55003 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password ( | ||
| CVE-2025-55001 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying | ||
| CVE-2025-55000 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caus | ||
| CVE-2025-54999 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non- | ||
| CVE-2025-54998 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. Thi | ||
| CVE-2025-54997 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network |
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs.
- CVE-2025-55190Sep 4, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.
- CVE-2025-56761Sep 3, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges
- CVE-2025-56760Sep 3, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are f
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.
- CVE-2025-58157Aug 29, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge quickly enough for some of the inputs. Thi
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git L
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
- CVE-2025-6203Aug 28, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server
- affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is su
- CVE-2025-51667Aug 27, 2025affected < 0.0.20250918T182144-150000.1.107.1fixed 0.0.20250918T182144-150000.1.107.1
An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations.
- CVE-2025-55003Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (
- CVE-2025-55001Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying
- CVE-2025-55000Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caus
- CVE-2025-54999Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-
- CVE-2025-54998Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. Thi
- CVE-2025-54997Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network
Page 5 of 14