rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54996 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their s | ||
| CVE-2025-7195 | Med | 6.4 | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 7, 2025 | Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Develo | |
| CVE-2025-47907 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2025-54799 | Low | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 7, 2025 | Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which | |
| CVE-2025-44779 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 7, 2025 | An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. | ||
| CVE-2025-6013 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 6, 2025 | Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1. | ||
| CVE-2025-54801 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 5, 2025 | Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds s | ||
| CVE-2025-53534 | Hig | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 5, 2025 | RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take o | |
| CVE-2025-8341 | Med | 5.0 | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 4, 2025 | Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could | |
| CVE-2025-54386 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file path | ||
| CVE-2025-54424 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | 1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during cer | ||
| CVE-2025-6015 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||
| CVE-2025-6011 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and | ||
| CVE-2025-6004 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||
| CVE-2025-6037 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an att | ||
| CVE-2025-6014 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | ||
| CVE-2025-6000 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.1 | ||
| CVE-2025-5999 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Aug 1, 2025 | A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22. | ||
| CVE-2025-54576 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Jul 30, 2025 | OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes co | ||
| CVE-2025-54410 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Jul 30, 2025 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail |
- CVE-2025-54996Aug 9, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their s
- affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Develo
- CVE-2025-47907Aug 7, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which
- CVE-2025-44779Aug 7, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.
- CVE-2025-6013Aug 6, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.
- CVE-2025-54801Aug 5, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds s
- affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take o
- affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could
- CVE-2025-54386Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file path
- CVE-2025-54424Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during cer
- CVE-2025-6015Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6011Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and
- CVE-2025-6004Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6037Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an att
- CVE-2025-6014Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- CVE-2025-6000Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.1
- CVE-2025-5999Aug 1, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
- CVE-2025-54576Jul 30, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes co
- CVE-2025-54410Jul 30, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail
Page 6 of 14