rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54388 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Jul 30, 2025 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables | ||
| CVE-2025-50738 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Jul 29, 2025 | The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo | ||
| CVE-2025-53942 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Jul 23, 2025 | authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked | ||
| CVE-2025-23267 | Hig | 8.5 | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Jul 17, 2025 | NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of servi | |
| CVE-2025-23266 | Cri | 9.0 | < 0.0.20251023T162509-150000.1.110.1 | 0.0.20251023T162509-150000.1.110.1 | Jul 17, 2025 | NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data ta | |
| CVE-2024-44906 | — | < 0.0.20250814T182633-150000.1.98.1 | 0.0.20250814T182633-150000.1.98.1 | Jun 12, 2025 | uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15. | ||
| CVE-2024-52281 | Hig | 8.9 | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Apr 16, 2025 | A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4. | |
| CVE-2024-22036 | Cri | 9.1 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Apr 16, 2025 | A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land withi | |
| CVE-2023-32197 | Med | 6.6 | < 0.0.20241030T212825-150000.1.9.1 | 0.0.20241030T212825-150000.1.9.1 | Apr 16, 2025 | A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5. | |
| CVE-2025-22868 | — | < 0.0.20250226T025151-150000.1.35.1 | 0.0.20250226T025151-150000.1.35.1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 0.0.20250226T025151-150000.1.35.1 | 0.0.20250226T025151-150000.1.35.1 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-24366 | Hig | 7.5 | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 7, 2025 | SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it | |
| CVE-2025-24786 | — | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 6, 2025 | WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine | ||
| CVE-2025-24787 | — | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 6, 2025 | WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string conca | ||
| CVE-2025-22867 | Hig | 7.5 | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 6, 2025 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2. | |
| CVE-2025-22866 | Med | 4.0 | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2025-24371 | Hig | — | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 3, 2025 | CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower gr | |
| CVE-2024-35177 | — | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 3, 2025 | Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. The wazuh-agent for Windows is vulnerable to a Local Privilege Escalat | ||
| CVE-2024-47770 | — | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Feb 3, 2025 | Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, t | ||
| CVE-2024-11741 | Med | 4.3 | < 0.0.20250207T224745-150000.1.32.1 | 0.0.20250207T224745-150000.1.32.1 | Jan 31, 2025 | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 |
- CVE-2025-54388Jul 30, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables
- CVE-2025-50738Jul 29, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo
- CVE-2025-53942Jul 23, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of servi
- affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1
NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data ta
- CVE-2024-44906Jun 12, 2025affected < 0.0.20250814T182633-150000.1.98.1fixed 0.0.20250814T182633-150000.1.98.1
uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15.
- affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4.
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land withi
- affected < 0.0.20241030T212825-150000.1.9.1fixed 0.0.20241030T212825-150000.1.9.1
A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5.
- CVE-2025-22868Feb 26, 2025affected < 0.0.20250226T025151-150000.1.35.1fixed 0.0.20250226T025151-150000.1.35.1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 0.0.20250226T025151-150000.1.35.1fixed 0.0.20250226T025151-150000.1.35.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it
- CVE-2025-24786Feb 6, 2025affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine
- CVE-2025-24787Feb 6, 2025affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string conca
- affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
- affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower gr
- CVE-2024-35177Feb 3, 2025affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. The wazuh-agent for Windows is vulnerable to a Local Privilege Escalat
- CVE-2024-47770Feb 3, 2025affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, t
- affected < 0.0.20250207T224745-150000.1.32.1fixed 0.0.20250207T224745-150000.1.32.1
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15
Page 7 of 14