suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6

Vulnerabilities (274)

• CVE-2025-44005CriDec 17, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

• CVE-2025-66564Dec 4, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t

• CVE-2025-66506Dec 4, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in th

• CVE-2025-66406MedDec 3, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fix

• CVE-2025-61727Dec 3, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

• CVE-2025-66411Dec 3, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM

• CVE-2025-64443Dec 3, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a mali

• CVE-2025-61729Dec 2, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a

• CVE-2025-64750MedDec 2, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label w

• CVE-2025-65105Dec 2, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor: and --security=selinux: which otherwise put restricti

• CVE-2025-13353Dec 2, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The f

• CVE-2025-13870Dec 2, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards

• CVE-2025-66410Dec 1, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder.

• CVE-2025-12756Dec 1, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

• CVE-2025-65965HigNov 25, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<fi

• CVE-2025-64761Nov 25, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this

• CVE-2025-60638Nov 24, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.

• CVE-2025-60632Nov 24, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.

• CVE-2025-65111Nov 21, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on bo

• CVE-2025-13357Nov 21, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authent