rpm package
suse/rhnlib&distro=SUSE Manager Client Tools 12
pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012
Vulnerabilities (37)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11065 | Med | 5.3 | < 5.0.6-21.55.1 | 5.0.6-21.55.1 | Jan 26, 2026 | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process | |
| CVE-2025-47908 | Hig | 7.5 | < 5.0.6-21.55.1 | 5.0.6-21.55.1 | Aug 6, 2025 | Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/s | |
| CVE-2025-6197 | Med | 4.2 | < 5.0.6-21.55.1 | 5.0.6-21.55.1 | Jul 18, 2025 | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | |
| CVE-2025-6023 | Hig | 7.6 | < 5.0.6-21.55.1 | 5.0.6-21.55.1 | Jul 18, 2025 | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+sec | |
| CVE-2025-3415 | Med | 4.3 | < 5.0.6-21.55.1 | 5.0.6-21.55.1 | Jul 17, 2025 | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+ | |
| CVE-2024-6104 | — | < 5.0.4-21.52.1 | 5.0.4-21.52.1 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2023-45142 | — | < 5.0.4-21.52.1 | 5.0.4-21.52.1 | Oct 12, 2023 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests | ||
| CVE-2022-39307 | — | < 4.3.5-21.46.1 | 4.3.5-21.46.1 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m | ||
| CVE-2022-39306 | — | < 4.3.5-21.46.1 | 4.3.5-21.46.1 | Nov 9, 2022 | Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the o | ||
| CVE-2022-39229 | — | < 4.3.5-21.46.1 | 4.3.5-21.46.1 | Oct 13, 2022 | Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are | ||
| CVE-2022-39201 | — | < 4.3.5-21.46.1 | 4.3.5-21.46.1 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints un | ||
| CVE-2022-31130 | — | < 4.3.5-21.46.1 | 4.3.5-21.46.1 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoint | ||
| CVE-2022-31123 | — | < 4.3.5-21.46.1 | 4.3.5-21.46.1 | Oct 13, 2022 | Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though uns | ||
| CVE-2022-21698 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Feb 15, 2022 | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde | ||
| CVE-2022-21713 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci | ||
| CVE-2022-21703 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users | ||
| CVE-2022-21702 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Feb 8, 2022 | Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X | ||
| CVE-2022-21673 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Jan 18, 2022 | Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the | ||
| CVE-2021-43815 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured | ||
| CVE-2021-43813 | — | < 4.3.4-21.43.3 | 4.3.4-21.43.3 | Dec 10, 2021 | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi |
- affected < 5.0.6-21.55.1fixed 5.0.6-21.55.1
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process
- affected < 5.0.6-21.55.1fixed 5.0.6-21.55.1
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/s
- affected < 5.0.6-21.55.1fixed 5.0.6-21.55.1
An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL
- affected < 5.0.6-21.55.1fixed 5.0.6-21.55.1
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+sec
- affected < 5.0.6-21.55.1fixed 5.0.6-21.55.1
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+
- CVE-2024-6104Jun 24, 2024affected < 5.0.4-21.52.1fixed 5.0.4-21.52.1
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- CVE-2023-45142Oct 12, 2023affected < 5.0.4-21.52.1fixed 5.0.4-21.52.1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests
- CVE-2022-39307Nov 9, 2022affected < 4.3.5-21.46.1fixed 4.3.5-21.46.1
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” m
- CVE-2022-39306Nov 9, 2022affected < 4.3.5-21.46.1fixed 4.3.5-21.46.1
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the o
- CVE-2022-39229Oct 13, 2022affected < 4.3.5-21.46.1fixed 4.3.5-21.46.1
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are
- CVE-2022-39201Oct 13, 2022affected < 4.3.5-21.46.1fixed 4.3.5-21.46.1
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints un
- CVE-2022-31130Oct 13, 2022affected < 4.3.5-21.46.1fixed 4.3.5-21.46.1
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoint
- CVE-2022-31123Oct 13, 2022affected < 4.3.5-21.46.1fixed 4.3.5-21.46.1
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though uns
- CVE-2022-21698Feb 15, 2022affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
- CVE-2022-21713Feb 8, 2022affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the speci
- CVE-2022-21703Feb 8, 2022affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users
- CVE-2022-21702Feb 8, 2022affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (X
- CVE-2022-21673Jan 18, 2022affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the
- CVE-2021-43815Dec 10, 2021affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured
- CVE-2021-43813Dec 10, 2021affected < 4.3.4-21.43.3fixed 4.3.4-21.43.3
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files wi
Page 1 of 2