govulncheck-vulndb (SUSE:Linux Enterprise Module for Package Hub 15 SP5) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Package Hub 15 SP5 package govulncheck-vulndb, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (63)
CVE-2024-9264 — CVSS 9.9 (critical): The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are…
CVE-2024-39223 — CVSS 9.8 (critical): An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback…
CVE-2024-9486 — CVSS 9.8 (critical): A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image…
CVE-2024-47832 — CVSS 9.8 (critical): ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker…
CVE-2022-45157 — CVSS 9.1 (critical): A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage…
CVE-2024-22036 — CVSS 9.1 (critical): A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root…
CVE-2024-0132 — CVSS 9.0 (critical): NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration…
CVE-2024-9313 — CVSS 8.8 (high): Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform…
CVE-2024-7558 — CVSS 8.7 (high): JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an…
CVE-2024-51735: Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results…
CVE-2024-10006 — CVSS 8.3 (high): A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass…
CVE-2024-45794 — CVSS 8.3 (high): devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission)…
CVE-2024-39720 — CVSS 8.2 (high): An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4…
CVE-2024-47534: go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if…
CVE-2024-10005 — CVSS 8.1 (high): A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could…
CVE-2024-22030 — CVSS 8.0 (high): A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack…
CVE-2024-8038 — CVSS 7.9 (high): Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available…
CVE-2024-9675 — CVSS 7.8 (high): A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache…
CVE-2024-10975 — CVSS 7.7 (high): Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through…
CVE-2024-7594 — CVSS 7.5 (high): Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and…
CVE-2024-10389 — CVSS 7.5 (high): There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems (e.g., NTFS). This allows…
CVE-2024-8185 — CVSS 7.5 (high): Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a…
CVE-2024-8901 — CVSS 7.5 (high): The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master…
CVE-2024-9312 — CVSS 7.5 (high): Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names…
CVE-2024-47877 — CVSS 7.5 (high): Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to…
CVE-2024-49757 — CVSS 7.5 (high): The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing…
CVE-2024-49381 — CVSS 7.5 (high): Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is…
CVE-2024-49380 — CVSS 7.5 (high): Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is…
CVE-2024-38365 — CVSS 7.4 (high): btcd is an alternative full node bitcoin implementation written in Go (golang). The btcd Bitcoin client (versions 0.10 to 0.24) did not…
CVE-2024-8996 — CVSS 7.3 (high): Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM…
CVE-2024-8975 — CVSS 7.3 (high): Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue…
CVE-2024-9180 — CVSS 7.2 (high): A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s…
CVE-2024-47616 — CVSS 6.8 (medium): Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium…
CVE-2023-32197 — CVSS 6.6 (medium): A Improper Privilege Management vulnerability in SUSE rancher in RoleTemplateobjects when external=true is set can lead to privilege…
CVE-2024-8037 — CVSS 6.5 (medium): Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with…
CVE-2024-9355 — CVSS 6.5 (medium): A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length…
CVE-2024-9594 — CVSS 6.3 (medium): A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image…
CVE-2024-10086 — CVSS 6.1 (medium): A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP…
CVE-2024-47067 — CVSS 6.1 (medium): AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go…
CVE-2024-48057 — CVSS 6.1 (medium): localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it…
CVE-2024-49753 — CVSS 5.9 (medium): Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have…
CVE-2024-47827 — CVSS 5.7 (medium): Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in…
CVE-2023-22644 — CVSS 5.5 (medium): A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector…
CVE-2024-50354 — CVSS 5.5 (medium): gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16…
CVE-2024-9341 — CVSS 5.4 (medium): A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper…
CVE-2024-50312 — CVSS 5.3 (medium): A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized…
CVE-2024-36814 — CVSS 4.9 (medium): An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on…
CVE-2024-47182 — CVSS 4.8 (medium): Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves…
CVE-2024-9407 — CVSS 4.7 (medium): A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the…
CVE-2024-46872 — CVSS 4.6 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for…
CVE-2024-10241 — CVSS 4.3 (medium): Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get…
CVE-2024-50052 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration…
CVE-2024-47401 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in…
CVE-2024-0133 — CVSS 4.1 (medium): NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container…
CVE-2024-47825 — CVSS 4.0 (medium): Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions…
CVE-2024-10214 — CVSS 3.5 (low): Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in…
CVE-2024-51744 — CVSS 3.1 (low): golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to…
CVE-2024-47003 — CVSS 3.1 (low): Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows…
CVE-2024-48921 — CVSS 2.7 (low): Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the…
CVE-2024-10452 — CVSS 2.2 (low): Organization admins can delete pending invites created in an organization they are not part of.
CVE-2024-48909 — CVSS 2.0 (low): SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior…
CVE-2024-51746: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry…