rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-0377 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 21, 2025 | HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. | ||
| CVE-2025-24337 | Hig | 8.4 | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 20, 2025 | WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini. | |
| CVE-2025-23208 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 17, 2025 | zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, t | ||
| CVE-2024-36402 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. | ||
| CVE-2024-36403 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 is vulnerable to unbounded disk consumption, where an unauthenticated adversary can induce it to download and cache large amounts of remote media files. MMR's t | ||
| CVE-2024-52594 | Med | 4.3 | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unab | |
| CVE-2024-52602 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users | ||
| CVE-2024-52791 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large am | ||
| CVE-2024-56515 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different | ||
| CVE-2025-20621 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 16, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post | ||
| CVE-2025-20088 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 15, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | ||
| CVE-2025-20086 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 15, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | ||
| CVE-2025-21088 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 15, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. | ||
| CVE-2024-53263 | Hig | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 14, 2025 | Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credential | |
| CVE-2024-56138 | Med | 4.0 | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 13, 2025 | notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certif | |
| CVE-2024-51491 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 13, 2025 | notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CR | ||
| CVE-2024-56323 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 13, 2025 | OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [c | ||
| CVE-2025-22149 | Low | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 9, 2025 | JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a secu | |
| CVE-2025-22445 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 9, 2025 | Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. | ||
| CVE-2025-20033 | — | < 0.0.20250128T150132-150000.1.29.1 | 0.0.20250128T150132-150000.1.29.1 | Jan 9, 2025 | Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific |
- CVE-2025-0377Jan 21, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
- affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.
- CVE-2025-23208Jan 17, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, t
- CVE-2024-36402Jan 16, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository.
- CVE-2024-36403Jan 16, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 is vulnerable to unbounded disk consumption, where an unauthenticated adversary can induce it to download and cache large amounts of remote media files. MMR's t
- affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unab
- CVE-2024-52602Jan 16, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users
- CVE-2024-52791Jan 16, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large am
- CVE-2024-56515Jan 16, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different
- CVE-2025-20621Jan 16, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post
- CVE-2025-20088Jan 15, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
- CVE-2025-20086Jan 15, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
- CVE-2025-21088Jan 15, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.
- affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credential
- affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certif
- CVE-2024-51491Jan 13, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CR
- CVE-2024-56323Jan 13, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [c
- affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a secu
- CVE-2025-22445Jan 9, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
- CVE-2025-20033Jan 9, 2025affected < 0.0.20250128T150132-150000.1.29.1fixed 0.0.20250128T150132-150000.1.29.1
Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific
Page 9 of 14