VYPR

rpm package

suse/govulncheck-vulndb&distro=SUSE Package Hub 12

pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012

Vulnerabilities (56)

  • CVE-2024-49380Oct 25, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0

  • CVE-2024-50312Oct 22, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilita

  • CVE-2024-8901HigOct 22, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but

  • CVE-2024-47825Oct 21, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more n

  • CVE-2024-9264Oct 18, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user wit

  • CVE-2024-22030HigOct 16, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this

  • CVE-2024-9594Oct 15, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabl

  • CVE-2024-9486Oct 15, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resultin

  • CVE-2024-48909Oct 14, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permi

  • CVE-2024-38365Oct 11, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the oth

  • CVE-2024-47877Oct 11, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then

  • CVE-2024-9180Oct 10, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.

  • CVE-2024-9312Oct 10, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.

  • CVE-2024-47832Oct 9, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior be

  • CVE-2024-9675Oct 9, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as lo

  • CVE-2024-36814MedOct 8, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory.

  • CVE-2024-9313Oct 3, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them.

  • CVE-2024-47616MedOct 2, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by

  • CVE-2024-8038Oct 2, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.

  • CVE-2024-8037Oct 2, 2024
    affected < 0.0.20241104T154416-5.1fixed 0.0.20241104T154416-5.1

    Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are norm