rpm package
suse/govulncheck-vulndb&distro=SUSE Package Hub 12
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012
Vulnerabilities (56)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-49380 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 25, 2024 | Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0 | ||
| CVE-2024-50312 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 22, 2024 | A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilita | ||
| CVE-2024-8901 | Hig | 7.5 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 22, 2024 | The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but | |
| CVE-2024-47825 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 21, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more n | ||
| CVE-2024-9264 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 18, 2024 | The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user wit | ||
| CVE-2024-22030 | Hig | 8.0 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 16, 2024 | A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this | |
| CVE-2024-9594 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 15, 2024 | A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabl | ||
| CVE-2024-9486 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 15, 2024 | A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resultin | ||
| CVE-2024-48909 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 14, 2024 | SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permi | ||
| CVE-2024-38365 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 11, 2024 | btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the oth | ||
| CVE-2024-47877 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 11, 2024 | Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then | ||
| CVE-2024-9180 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 10, 2024 | A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16. | ||
| CVE-2024-9312 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 10, 2024 | Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. | ||
| CVE-2024-47832 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 9, 2024 | ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior be | ||
| CVE-2024-9675 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 9, 2024 | A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo | ||
| CVE-2024-36814 | Med | 4.9 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 8, 2024 | An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory. | |
| CVE-2024-9313 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 3, 2024 | Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. | ||
| CVE-2024-47616 | Med | 6.8 | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 2, 2024 | Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by | |
| CVE-2024-8038 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 2, 2024 | Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks. | ||
| CVE-2024-8037 | — | < 0.0.20241104T154416-5.1 | 0.0.20241104T154416-5.1 | Oct 2, 2024 | Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are norm |
- CVE-2024-49380Oct 25, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0
- CVE-2024-50312Oct 22, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilita
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but
- CVE-2024-47825Oct 21, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more n
- CVE-2024-9264Oct 18, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user wit
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this
- CVE-2024-9594Oct 15, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabl
- CVE-2024-9486Oct 15, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resultin
- CVE-2024-48909Oct 14, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permi
- CVE-2024-38365Oct 11, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the oth
- CVE-2024-47877Oct 11, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then
- CVE-2024-9180Oct 10, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
- CVE-2024-9312Oct 10, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.
- CVE-2024-47832Oct 9, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior be
- CVE-2024-9675Oct 9, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory.
- CVE-2024-9313Oct 3, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them.
- affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by
- CVE-2024-8038Oct 2, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.
- CVE-2024-8037Oct 2, 2024affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1
Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are norm
Page 2 of 3