Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-31668 (GCVE-0-2022-31668)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:56 – Updated: 2024-11-14 19:33
VLAI?
EPSS
Title
User permission validation failure and disclosure of P2P preheat execution logs
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
Severity ?
7.4 (High)
CWE
Assigner
References
Date Public ?
2022-08-30 21:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T18:53:45.416941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:33:24.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating p2p preheat policies.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:56:31.043Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User permission validation failure and disclosure of P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31668",
"datePublished": "2024-11-14T11:56:31.043Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T19:33:24.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-31668\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2024-11-14T12:15:16.607\",\"lastModified\":\"2024-11-19T15:25:25.797\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\"},{\"lang\":\"es\",\"value\":\"Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de precalentamiento P2P. Al enviar una solicitud para actualizar una pol\u00edtica de precalentamiento P2P con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de precalentamiento P2P configuradas en otros proyectos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":3.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.4.3\",\"matchCriteriaId\":\"14BEA987-A012-4745-A79A-7BCF5E9CD567\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.5.2\",\"matchCriteriaId\":\"1B643770-6018-4D81-B386-91011E437F0D\"}]}]}],\"references\":[{\"url\":\"https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7\",\"source\":\"security@vmware.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31668\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-14T18:53:45.416941Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-14T18:54:26.780Z\"}}], \"cna\": {\"title\": \"User permission validation failure and disclosure of P2P preheat execution logs\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"Harbor\", \"versions\": [{\"status\": \"affected\", \"version\": \"Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2022-08-30T21:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Harbor fails to validate the user permissions when updating p2p preheat policies.\\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eHarbor fails to validate the user permissions when updating p2p preheat policies.\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eBy sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\u003c/span\u003e\\n\\n\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2024-11-14T11:56:31.043Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-31668\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-14T19:33:24.795Z\", \"dateReserved\": \"2022-05-25T23:31:47.418Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2024-11-14T11:56:31.043Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2024:14599-1
Vulnerability from csaf_opensuse - Published: 2024-12-18 00:00 - Updated: 2024-12-18 00:00Summary
govulncheck-vulndb-0.0.20241213T205935-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: govulncheck-vulndb-0.0.20241213T205935-1.1 on GA media
Description of the patch: These are all security issues fixed in the govulncheck-vulndb-0.0.20241213T205935-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14599
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.7 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
6.2 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.1 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20241213T205935-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20241213T205935-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14599",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14599-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14599-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QTUY324RV3FFZBHVIWDHRCIOPJHIJIN4/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14599-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QTUY324RV3FFZBHVIWDHRCIOPJHIJIN4/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-10696 page",
"url": "https://www.suse.com/security/cve/CVE-2020-10696/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8912 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8912/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-31668 page",
"url": "https://www.suse.com/security/cve/CVE-2022-31668/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-26248 page",
"url": "https://www.suse.com/security/cve/CVE-2023-26248/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-3676 page",
"url": "https://www.suse.com/security/cve/CVE-2023-3676/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-3955 page",
"url": "https://www.suse.com/security/cve/CVE-2023-3955/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-12401 page",
"url": "https://www.suse.com/security/cve/CVE-2024-12401/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-37032 page",
"url": "https://www.suse.com/security/cve/CVE-2024-37032/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-44337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-44337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45039 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45039/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45436 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45436/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-46455 page",
"url": "https://www.suse.com/security/cve/CVE-2024-46455/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-46528 page",
"url": "https://www.suse.com/security/cve/CVE-2024-46528/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53257 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53257/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53859 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53859/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-55601 page",
"url": "https://www.suse.com/security/cve/CVE-2024-55601/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-55657 page",
"url": "https://www.suse.com/security/cve/CVE-2024-55657/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-55658 page",
"url": "https://www.suse.com/security/cve/CVE-2024-55658/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-55659 page",
"url": "https://www.suse.com/security/cve/CVE-2024-55659/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-55660 page",
"url": "https://www.suse.com/security/cve/CVE-2024-55660/"
}
],
"title": "govulncheck-vulndb-0.0.20241213T205935-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-18T00:00:00Z",
"generator": {
"date": "2024-12-18T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14599-1",
"initial_release_date": "2024-12-18T00:00:00Z",
"revision_history": [
{
"date": "2024-12-18T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20241213T205935-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-10696",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-10696"
}
],
"notes": [
{
"category": "general",
"text": "A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user\u0027s system anywhere that the user has permissions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-10696",
"url": "https://www.suse.com/security/cve/CVE-2020-10696"
},
{
"category": "external",
"summary": "SUSE Bug 1167864 for CVE-2020-10696",
"url": "https://bugzilla.suse.com/1167864"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-10696"
},
{
"cve": "CVE-2020-8912",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8912"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8912",
"url": "https://www.suse.com/security/cve/CVE-2020-8912"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2020-8912"
},
{
"cve": "CVE-2022-31668",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-31668"
}
],
"notes": [
{
"category": "general",
"text": "Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-31668",
"url": "https://www.suse.com/security/cve/CVE-2022-31668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-31668"
},
{
"cve": "CVE-2023-26248",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-26248"
}
],
"notes": [
{
"category": "general",
"text": "The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content by generating many Sybil peers whose peer IDs have a small distance from the content ID, thus hijacking the content resolution process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-26248",
"url": "https://www.suse.com/security/cve/CVE-2023-26248"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-26248"
},
{
"cve": "CVE-2023-3676",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-3676"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in Kubernetes where a user\n that can create pods on Windows nodes may be able to escalate to admin \nprivileges on those nodes. Kubernetes clusters are only affected if they\n include Windows nodes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-3676",
"url": "https://www.suse.com/security/cve/CVE-2023-3676"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-3676"
},
{
"cve": "CVE-2023-3955",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-3955"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in Kubernetes where a user\n that can create pods on Windows nodes may be able to escalate to admin \nprivileges on those nodes. Kubernetes clusters are only affected if they\n include Windows nodes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-3955",
"url": "https://www.suse.com/security/cve/CVE-2023-3955"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-3955"
},
{
"cve": "CVE-2024-12401",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-12401"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-12401",
"url": "https://www.suse.com/security/cve/CVE-2024-12401"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-12401"
},
{
"cve": "CVE-2024-37032",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-37032"
}
],
"notes": [
{
"category": "general",
"text": "Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-37032",
"url": "https://www.suse.com/security/cve/CVE-2024-37032"
},
{
"category": "external",
"summary": "SUSE Bug 1225724 for CVE-2024-37032",
"url": "https://bugzilla.suse.com/1225724"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-37032"
},
{
"cve": "CVE-2024-44337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-44337"
}
],
"notes": [
{
"category": "general",
"text": "The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-44337",
"url": "https://www.suse.com/security/cve/CVE-2024-44337"
},
{
"category": "external",
"summary": "SUSE Bug 1231713 for CVE-2024-44337",
"url": "https://bugzilla.suse.com/1231713"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-44337"
},
{
"cve": "CVE-2024-45039",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45039"
}
],
"notes": [
{
"category": "general",
"text": "gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for optimized non-native multiplication, lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit. However, using multiple commitments has been discouraged due to the additional cost to the verifier and it has not been supported in the recursive in-circuit Groth16 verifier and Solidity verifier. gnark\u0027s maintainers expect the impact of the issue be very small - only for the users who have implemented the native Groth16 verifier or are using it with multiple commitments. We do not have information of such users. The issue has been patched in version 0.11.0. As a workaround, users should follow gnark maintainers\u0027 recommendation to use only a single commitment and then derive in-circuit commitments as needed using the `std/multicommit` package.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45039",
"url": "https://www.suse.com/security/cve/CVE-2024-45039"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45039"
},
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
},
{
"cve": "CVE-2024-45436",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45436"
}
],
"notes": [
{
"category": "general",
"text": "extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45436",
"url": "https://www.suse.com/security/cve/CVE-2024-45436"
},
{
"category": "external",
"summary": "SUSE Bug 1229895 for CVE-2024-45436",
"url": "https://bugzilla.suse.com/1229895"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45436"
},
{
"cve": "CVE-2024-46455",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-46455"
}
],
"notes": [
{
"category": "general",
"text": "unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-46455",
"url": "https://www.suse.com/security/cve/CVE-2024-46455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-46455"
},
{
"cve": "CVE-2024-46528",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-46528"
}
],
"notes": [
{
"category": "general",
"text": "An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere 4.x before 4.1.3 and 3.x through 3.4.1 and KubeSphere Enterprise 4.x before 4.1.3 and 3.x through 3.5.0 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-46528",
"url": "https://www.suse.com/security/cve/CVE-2024-46528"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-46528"
},
{
"cve": "CVE-2024-53257",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53257"
}
],
"notes": [
{
"category": "general",
"text": "Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages are rendered using text/template instead of rendering with a proper HTML templating engine. This vulnerability is fixed in 21.0.1, 20.0.4, and 19.0.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53257",
"url": "https://www.suse.com/security/cve/CVE-2024-53257"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-53257"
},
{
"cve": "CVE-2024-53859",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53859"
}
],
"notes": [
{
"category": "general",
"text": "go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server. Prior to version `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53859",
"url": "https://www.suse.com/security/cve/CVE-2024-53859"
},
{
"category": "external",
"summary": "SUSE Bug 1233976 for CVE-2024-53859",
"url": "https://bugzilla.suse.com/1233976"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-53859"
},
{
"cve": "CVE-2024-55601",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-55601"
}
],
"notes": [
{
"category": "general",
"text": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-55601",
"url": "https://www.suse.com/security/cve/CVE-2024-55601"
},
{
"category": "external",
"summary": "SUSE Bug 1234340 for CVE-2024-55601",
"url": "https://bugzilla.suse.com/1234340"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-55601"
},
{
"cve": "CVE-2024-55657",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-55657"
}
],
"notes": [
{
"category": "general",
"text": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan\u0027s `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-55657",
"url": "https://www.suse.com/security/cve/CVE-2024-55657"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-55657"
},
{
"cve": "CVE-2024-55658",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-55658"
}
],
"notes": [
{
"category": "general",
"text": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan\u0027s /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-55658",
"url": "https://www.suse.com/security/cve/CVE-2024-55658"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-55658"
},
{
"cve": "CVE-2024-55659",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-55659"
}
],
"notes": [
{
"category": "general",
"text": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-55659",
"url": "https://www.suse.com/security/cve/CVE-2024-55659"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-55659"
},
{
"cve": "CVE-2024-55660",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-55660"
}
],
"notes": [
{
"category": "general",
"text": "SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan\u0027s `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-55660",
"url": "https://www.suse.com/security/cve/CVE-2024-55660"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241213T205935-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-18T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-55660"
}
]
}
GSD-2022-31668
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-31668",
"id": "GSD-2022-31668"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-31668"
],
"id": "GSD-2022-31668",
"modified": "2023-12-13T01:19:18.264511Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31668",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
}
}
FKIE_CVE-2022-31668
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2024-11-19 15:25
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de precalentamiento P2P. Al enviar una solicitud para actualizar una pol\u00edtica de precalentamiento P2P con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de precalentamiento P2P configuradas en otros proyectos."
}
],
"id": "CVE-2022-31668",
"lastModified": "2024-11-19T15:25:25.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.607",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-R864-28PW-8682
Vulnerability from github – Published: 2024-11-14 12:31 – Updated: 2024-12-12 19:15
VLAI?
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies
Details
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
Severity ?
7.4 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor/src"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220630175814-b4ef1db"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31668"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-14T18:33:49Z",
"nvd_published_at": "2024-11-14T12:15:16Z",
"severity": "HIGH"
},
"details": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.",
"id": "GHSA-r864-28pw-8682",
"modified": "2024-12-12T19:15:24Z",
"published": "2024-11-14T12:31:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31668"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Harbor fails to validate the user permissions when updating p2p preheat policies"
}
bit-harbor-2022-31668
Vulnerability from bitnami_vulndb
Published
2024-11-20 07:10
Modified
2025-05-20 10:02
Summary
User permission validation failure and disclosure of P2P preheat execution logs
Details
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "harbor",
"purl": "pkg:bitnami/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.3"
},
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-31668"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.",
"id": "BIT-harbor-2022-31668",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-11-20T07:10:59.480Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31668"
}
],
"schema_version": "1.5.0",
"summary": "User permission validation failure and disclosure of P2P preheat execution logs"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…