rpm package
suse/govulncheck-vulndb&distro=SUSE Package Hub 12
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012
Vulnerabilities (56)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-22036 | Cri | 9.1 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Apr 16, 2025 | A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land withi | |
| CVE-2023-32197 | Med | 6.6 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Apr 16, 2025 | A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5. | |
| CVE-2022-45157 | Cri | 9.1 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Nov 13, 2024 | A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being st | |
| CVE-2024-39720 | Hig | 8.2 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 31, 2024 | An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-cont | |
| CVE-2024-8185 | Hig | 7.5 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 31, 2024 | Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint | |
| CVE-2024-50354 | Med | 5.5 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 31, 2024 | gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m | |
| CVE-2024-10086 | Med | 6.1 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | |
| CVE-2024-10006 | Hig | 8.3 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | |
| CVE-2024-10005 | Hig | 8.1 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | |
| CVE-2024-10452 | Low | 2.2 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 29, 2024 | Organization admins can delete pending invites created in an organization they are not part of. | |
| CVE-2024-48921 | Low | 2.7 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 29, 2024 | Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not rec | |
| CVE-2024-47401 | Med | 4.3 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the applicat | |
| CVE-2024-46872 | Med | 4.6 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks | |
| CVE-2024-50052 | Med | 4.3 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | |
| CVE-2024-10241 | Med | 4.3 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 29, 2024 | Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | |
| CVE-2024-47827 | Med | 5.7 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 28, 2024 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. | |
| CVE-2024-10214 | Low | 3.5 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 28, 2024 | Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings. | |
| CVE-2024-49757 | Hig | 7.5 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 25, 2024 | The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option | |
| CVE-2024-49753 | Med | 5.9 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 25, 2024 | Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). | |
| CVE-2024-49381 | Hig | 7.5 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 25, 2024 | Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fi |
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land withi
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege escalation in specific scenarios.This issue affects rancher: from 2.7.0 before 2.7.14, from 2.8.0 before 2.8.5.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being st
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-cont
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Organization admins can delete pending invites created in an organization they are not part of.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from any namespace. Administrators may not rec
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the applicat
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1).
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fi
Page 1 of 3