rpm package
suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6
pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
Vulnerabilities (274)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-44005 | Cri | 10.0 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 17, 2025 | An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks. | |
| CVE-2025-66564 | Hig | 7.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 4, 2025 | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t | |
| CVE-2025-66506 | Hig | 7.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 4, 2025 | Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in th | |
| CVE-2025-66411 | Hig | 7.8 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 3, 2025 | Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM | |
| CVE-2025-66406 | Med | 5.0 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 3, 2025 | Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fix | |
| CVE-2025-61727 | Med | 6.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 3, 2025 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | |
| CVE-2025-64443 | Cri | 9.6 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 3, 2025 | MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a mali | |
| CVE-2025-61729 | Hig | 7.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | |
| CVE-2025-65105 | Med | 4.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 2, 2025 | Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor: and --security=selinux: which otherwise put restricti | |
| CVE-2025-64750 | Med | 4.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 2, 2025 | SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label w | |
| CVE-2025-13353 | Med | 5.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 2, 2025 | In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The f | |
| CVE-2025-13870 | Low | 3.1 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 2, 2025 | Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards | |
| CVE-2025-66410 | Cri | 9.1 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 1, 2025 | Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder. | |
| CVE-2025-12756 | Med | 4.3 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Dec 1, 2025 | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | |
| CVE-2025-65965 | Hig | — | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Nov 25, 2025 | Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<fi | |
| CVE-2025-64761 | Hig | 7.2 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Nov 25, 2025 | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this | |
| CVE-2025-60638 | Hig | 7.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Nov 24, 2025 | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API. | |
| CVE-2025-60632 | Med | 6.5 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Nov 24, 2025 | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. | |
| CVE-2025-65111 | Med | 5.3 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Nov 21, 2025 | SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on bo | |
| CVE-2025-41115 | Cri | 10.0 | < 0.0.20251209T172047-150000.1.127.1 | 0.0.20251209T172047-150000.1.127.1 | Nov 21, 2025 | SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln |
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in th
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fix
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a mali
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor: and --security=selinux: which otherwise put restricti
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label w
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The f
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder.
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<fi
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on bo
- affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln
Page 1 of 14