Vulnerability-Lookup

URL	Tags
https://github.com/go-git/go-git/security/advisor…	x_refsource_CONFIRM

Vendor	Product	Version
go-git	go-git	Affected: >= 4.0.0, < 5.13.0

alsa-2025:0401

Vulnerability from osv_almalinux

Published

2025-01-20 00:00

Modified

2025-01-20 13:47

Summary

Important: grafana security update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

go-git: argument injection via the URL field (CVE-2025-21613)
go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (CVE-2025-21614)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:0401	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-21613	REPORT
	https://access.redhat.com/security/cve/CVE-2025-21614	REPORT
	https://bugzilla.redhat.com/2335888	REPORT
	https://bugzilla.redhat.com/2335901	REPORT
	https://errata.almalinux.org/8/ALSA-2025-0401.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.2.10-21.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "grafana-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.2.10-21.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB.   \n\nSecurity Fix(es):  \n\n  * go-git: argument injection via the URL field (CVE-2025-21613)\n  * go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (CVE-2025-21614)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:0401",
  "modified": "2025-01-20T13:47:27Z",
  "published": "2025-01-20T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:0401"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-21613"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-21614"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2335888"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2335901"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-0401.html"
    }
  ],
  "related": [
    "CVE-2025-21613",
    "CVE-2025-21614"
  ],
  "summary": "Important: grafana security update"
}

BDU:2025-00211

Vulnerability from fstec - Published: 06.01.2025

Title

Уязвимость библиотеки go-git, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость библиотеки go-git связана с неограниченным распределением ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor

Red Hat Inc., Сообщество свободного программного обеспечения, ООО «Ред Софт», GitHub Inc

Software Name

Red Hat Enterprise Linux, Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Red Hat Advanced Cluster Management for Kubernetes, Red Hat OpenShift GitOps, Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, OpenShift Developer Tools and Services, Red Hat OpenShift Virtualization, OpenShift Serverless, Red Hat OpenShift Dev Spaces, OpenShift API for Data Protection, Red Hat Advanced Cluster Security, Red Hat Ceph Storage, OpenShift AI, go-git

Software Version

8 (Red Hat Enterprise Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 2 (Red Hat Advanced Cluster Management for Kubernetes), - (Red Hat OpenShift GitOps), 4 (Red Hat OpenShift Container Platform), 9 (Red Hat Enterprise Linux), 16.2 (Red Hat OpenStack Platform), - (OpenShift Developer Tools and Services), 4 (Red Hat OpenShift Virtualization), - (OpenShift Serverless), 17.1 (Red Hat OpenStack Platform), - (Red Hat OpenShift Dev Spaces), - (OpenShift API for Data Protection), 4 (Red Hat Advanced Cluster Security), 7 (Red Hat Ceph Storage), - (OpenShift AI), до 5.13.0 (go-git)

Possible Mitigations

В условиях отсутствия обновлений безопасности от производителя рекомендуется придерживаться "Рекомендаций по безопасной настройке операционных систем LINUX", изложенных в методическом документе ФСТЭК России, утверждённом 25 декабря 2022 года. Использование рекомендаций: Для библиотеки go-git: https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4 Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2025-21614 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2025-21614 Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Reference

https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4 https://access.redhat.com/security/cve/cve-2025-21614 https://security-tracker.debian.org/tracker/CVE-2025-21614 http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

CWE

CWE-400, CWE-770

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, GitHub Inc",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "8 (Red Hat Enterprise Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 2 (Red Hat Advanced Cluster Management for Kubernetes), - (Red Hat OpenShift GitOps), 4 (Red Hat OpenShift Container Platform), 9 (Red Hat Enterprise Linux), 16.2 (Red Hat OpenStack Platform), - (OpenShift Developer Tools and Services), 4 (Red Hat OpenShift Virtualization), - (OpenShift Serverless), 17.1 (Red Hat OpenStack Platform), - (Red Hat OpenShift Dev Spaces), - (OpenShift API for Data Protection), 4 (Red Hat Advanced Cluster Security), 7 (Red Hat Ceph Storage), - (OpenShift AI), \u0434\u043e 5.13.0 (go-git)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0412 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u044f \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0438\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0442\u044c\u0441\u044f \"\u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u043e \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c LINUX\", \u0438\u0437\u043b\u043e\u0436\u0435\u043d\u043d\u044b\u0445 \u0432 \u043c\u0435\u0442\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u043e\u043c \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0435 \u0424\u0421\u0422\u042d\u041a \u0420\u043e\u0441\u0441\u0438\u0438, \u0443\u0442\u0432\u0435\u0440\u0436\u0434\u0451\u043d\u043d\u043e\u043c 25 \u0434\u0435\u043a\u0430\u0431\u0440\u044f 2022 \u0433\u043e\u0434\u0430.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 go-git:\nhttps://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2025-21614\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2025-21614\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "06.01.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "19.02.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "13.01.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-00211",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-21614",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Red Hat Advanced Cluster Management for Kubernetes, Red Hat OpenShift GitOps, Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, OpenShift Developer Tools and Services, Red Hat OpenShift Virtualization, OpenShift Serverless, Red Hat OpenShift Dev Spaces, OpenShift API for Data Protection, Red Hat Advanced Cluster Security, Red Hat Ceph Storage, OpenShift AI, go-git",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Red Hat Inc. Red Hat Enterprise Linux 9 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 go-git, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u0440\u0430\u0441\u0445\u043e\u0434 \u0440\u0435\u0441\u0443\u0440\u0441\u0430 (\u00ab\u0418\u0441\u0442\u043e\u0449\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u00bb) (CWE-400), \u041d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u0438\u043b\u0438 \u0434\u0440\u043e\u0441\u0441\u0435\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 (CWE-770)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 go-git \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4\nhttps://access.redhat.com/security/cve/cve-2025-21614\nhttps://security-tracker.debian.org/tracker/CVE-2025-21614\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-400, CWE-770",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

CERTFR-2025-AVI-0337

Vulnerability from certfr_avis - Published: 2025-04-18 - Updated: 2025-04-18

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Sterling	Sterling Connect:Direct Web Services versions 6.1.x antérieures à 6.1.0.28
IBM	QRadar	QRadar Suite Software versions 1.1x.x.x antérieures à 1.11.2.x
IBM	Cloud Pak	Cloud Pak for Security versions 1.1x.x.x antérieures à 1.11.2.x
IBM	QRadar	SOAR QRadar Plugin App versions antérieures à 5.6.0

References

Title

Publication Time

CERTFR-2025-AVI-0622

Vulnerability from certfr_avis - Published: 2025-07-25 - Updated: 2025-07-25

De multiples vulnérabilités ont été découvertes dans les produits VMware. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Tanzu Platform	Tanzu Platform versions 4.0.x antérieures à 4.0.38+LTS-T pour Cloud Foundry Windows
VMware	Tanzu Platform	Tanzu Platform versions 10.0.x antérieures à 10.0.8 pour Cloud Foundry Windows
VMware	N/A	Stemcells sans le dernier correctif de sécurité
VMware	Tanzu Platform	Tanzu Platform versions 4.0.x antérieures à 4.0.38+LTS-T pour Cloud Foundry
VMware	Tanzu Platform	Tanzu Platform versions 6.0.x antérieures à 6.0.18+LTS-T pour Cloud Foundry Windows
VMware	Tanzu	Anti-Virus sans le dernier correctif de sécurité pour Tanzu version 2.4.0
VMware	Tanzu	Scheduler sans le dernier correctif de sécurité pour Tanzu version 2.0.19
VMware	Tanzu Platform	Tanzu Platform versions 6.0.x antérieures à 6.0.18+LTS-T pour Cloud Foundry
VMware	Tanzu Platform	GenAI sans le dernier correctif de sécurité pour Tanzu Platform pour Cloud Foundry version 10.2.1
VMware	Tanzu Application Service	Tanzu Application Service versions antérieures à 1.16.11
VMware	Tanzu Platform	Tanzu Platform versions 10.2.x antérieures à 10.2.1+LTS-T pour Cloud Foundry isolation segment
VMware	Tanzu Platform	Tanzu Platform versions 10.0.x antérieures à 10.0.8 pour Cloud Foundry isolation segment
VMware	Tanzu	Spring Cloud Services sans le dernier correctif de sécurité pour Tanzu version 3.3.8
VMware	Tanzu Platform	Tanzu Platform versions 10.0.x antérieures à 10.0.8 pour Cloud Foundry
VMware	Tanzu Platform	Tanzu Platform versions 4.0.x antérieures à 4.0.38+LTS-T pour Cloud Foundry isolation segment
VMware	Tanzu	Spring Cloud Data Flow sans le dernier correctif de sécurité pour Tanzu version 1.14.7
VMware	Tanzu Platform	Tanzu Platform versions 6.0.x antérieures à 6.0.18+LTS-T pour Cloud Foundry isolation segment
VMware	Tanzu Platform	Tanzu Platform versions 10.2.x antérieures à 10.2.1+LTS-T pour Cloud Foundry
VMware	Tanzu Application Service	Single Sign-On sans le dernier correctif de sécurité pour Tanzu Application Service version 1.16.11
VMware	Tanzu	File Integrity Monitoring sans le dernier correctif de sécurité pour Tanzu version 2.1.47

References

Title

Publication Time

CERTFR-2026-AVI-0641

Vulnerability from certfr_avis - Published: 2026-05-22 - Updated: 2026-05-22

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	AIX	Open SDK pour Rust sur AIX versions 1.92.x sans le correctif de sécurité Fix Pack 2
IBM	WebSphere	WebSphere Automation versions 1.1x antérieures à 1.12.1
IBM	Db2	Db2 versions 12.1.x antérieures à 12.1.4 sans le correctif Special Build #83501
IBM	Db2	Db2 Big SQL versions 7.6.x à 8.3.x antérieures à 8.3.1 patch 4
IBM	Db2	Db2 sur Cloud Pak for Data et Db2 Warehouse sur Cloud Pak for Data versions 4.8.x à 5.3.x antérieures à 5.3.1
IBM	AIX	Open SDK pour Rust sur AIX versions 1.90.x sans le correctif de sécurité Fix Pack 2
IBM	Sterling	Sterling Transformation Extender versions 11.0.1.1 et 11.0.2.0 sans le correctif de sécurité PH71227
IBM	Db2	Db2 versions 11.5.x antérieures à 11.5.9 sans le correctif Special Build #81937

References

Title

Publication Time

FKIE_CVE-2025-21614

Vulnerability from fkie_nvd - Published: 2025-01-06 17:15 - Updated: 2025-09-30 15:24

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

References

	URL	Tags
	security-advisories@github.com	https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4	Vendor Advisory

Impacted products

	Vendor	Product	Version
	go-git_project	go-git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "77FFEE6C-CE0C-435F-9466-13BC2B95D09E",
              "versionEndExcluding": "5.13.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability."
    },
    {
      "lang": "es",
      "value": "Go-git es una librer\u00eda de implementaci\u00f3n de Git altamente extensible escrita en Go puro. Se descubri\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en versiones de Go-git anteriores a la v5.13. Esta vulnerabilidad permite a un atacante realizar ataques de denegaci\u00f3n de servicio al proporcionar respuestas especialmente manipuladas desde un servidor Git que desencadenan el agotamiento de recursos en los clientes de Go-git. Se recomienda a los usuarios que ejecutan versiones de Go-git de la v4 y posteriores que actualicen a la v5.13 para mitigar esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-21614",
  "lastModified": "2025-09-30T15:24:48.423",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-06T17:15:47.310",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R9PX-M959-CXF4

Vulnerability from github – Published: 2025-01-06 16:20 – Updated: 2025-08-27 14:24

Summary

go-git clients vulnerable to DoS via maliciously crafted Git server replies

Details

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gopkg.in/src-d/go-git.v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "last_affected": "4.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-git/go-git/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-git/go-git"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "last_affected": "4.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-21614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-06T16:20:28Z",
    "nvd_published_at": "2025-01-06T17:15:47Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. \n\nThis is a `go-git` implementation issue and does not affect the upstream `git` cli.\n\n### Patches\nUsers running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.\n\n### Workarounds\nIn cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers.\n\n## Credit\nThanks to Ionut Lalu for responsibly disclosing this vulnerability to us.",
  "id": "GHSA-r9px-m959-cxf4",
  "modified": "2025-08-27T14:24:37Z",
  "published": "2025-01-06T16:20:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21614"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-git/go-git"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-git clients vulnerable to DoS via maliciously crafted Git server replies"
}

MSRC_CVE-2025-21614

Vulnerability from csaf_microsoft - Published: 2025-01-02 00:00 - Updated: 2026-02-18 01:25

Summary

go-git clients vulnerable to DoS via maliciously crafted Git server replies

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2025-21614

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 6 products

Product	Identifier	Version	Remediation
Unresolved product id: 17759-17084		—
Unresolved product id: 19843-17086		—
Unresolved product id: 19777-17086		—
Unresolved product id: 19287-17086		—
Unresolved product id: 19285-17086		—
Unresolved product id: 19286-17084		—

Known affected 6 products

Product	Version	Remediation
Unresolved product id: 17084-6	—	Vendor Fix fix
Unresolved product id: 17086-1	—	Vendor Fix fix
Unresolved product id: 17086-2	—	Vendor Fix fix
Unresolved product id: 17086-3	—	Vendor Fix fix
Unresolved product id: 17086-5	—	Vendor Fix fix
Unresolved product id: 17084-4	—	Vendor Fix fix

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2025/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2025/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-21614 go-git clients vulnerable to DoS via maliciously crafted Git server replies - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-21614.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "go-git clients vulnerable to DoS via maliciously crafted Git server replies",
    "tracking": {
      "current_release_date": "2026-02-18T01:25:17.000Z",
      "generator": {
        "date": "2026-02-18T09:44:32.762Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-21614",
      "initial_release_date": "2025-01-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-01-16T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2025-04-16T00:00:00.000Z",
          "legacy_version": "1",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2025-04-17T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "3",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-18T00:00:00.000Z",
          "legacy_version": "1.2",
          "number": "4",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-19T00:00:00.000Z",
          "legacy_version": "1.3",
          "number": "5",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-20T00:00:00.000Z",
          "legacy_version": "1.4",
          "number": "6",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-21T00:00:00.000Z",
          "legacy_version": "1.5",
          "number": "7",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-22T00:00:00.000Z",
          "legacy_version": "1.6",
          "number": "8",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-23T00:00:00.000Z",
          "legacy_version": "1.7",
          "number": "9",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-24T00:00:00.000Z",
          "legacy_version": "1.8",
          "number": "10",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-25T00:00:00.000Z",
          "legacy_version": "1.9",
          "number": "11",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-01-17T00:00:00.000Z",
          "legacy_version": "2",
          "number": "12",
          "summary": "Information published."
        },
        {
          "date": "2025-04-26T00:00:00.000Z",
          "legacy_version": "2",
          "number": "13",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-28T00:00:00.000Z",
          "legacy_version": "2.1",
          "number": "14",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-29T00:00:00.000Z",
          "legacy_version": "2.2",
          "number": "15",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-30T00:00:00.000Z",
          "legacy_version": "2.3",
          "number": "16",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-01T00:00:00.000Z",
          "legacy_version": "2.4",
          "number": "17",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-02T00:00:00.000Z",
          "legacy_version": "2.5",
          "number": "18",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-03T00:00:00.000Z",
          "legacy_version": "2.6",
          "number": "19",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-04T00:00:00.000Z",
          "legacy_version": "2.7",
          "number": "20",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-05T00:00:00.000Z",
          "legacy_version": "2.8",
          "number": "21",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-06T00:00:00.000Z",
          "legacy_version": "2.9",
          "number": "22",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-07T00:00:00.000Z",
          "legacy_version": "3",
          "number": "23",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-09T00:00:00.000Z",
          "legacy_version": "3",
          "number": "24",
          "summary": "Information published."
        },
        {
          "date": "2025-05-08T00:00:00.000Z",
          "legacy_version": "3.1",
          "number": "25",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-09T00:00:00.000Z",
          "legacy_version": "3.2",
          "number": "26",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-10T00:00:00.000Z",
          "legacy_version": "3.3",
          "number": "27",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-11T00:00:00.000Z",
          "legacy_version": "3.4",
          "number": "28",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-12T00:00:00.000Z",
          "legacy_version": "3.5",
          "number": "29",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-13T00:00:00.000Z",
          "legacy_version": "3.6",
          "number": "30",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-14T00:00:00.000Z",
          "legacy_version": "3.7",
          "number": "31",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-15T00:00:00.000Z",
          "legacy_version": "3.8",
          "number": "32",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-16T00:00:00.000Z",
          "legacy_version": "3.9",
          "number": "33",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-10T00:00:00.000Z",
          "legacy_version": "4",
          "number": "34",
          "summary": "Information published."
        },
        {
          "date": "2025-05-17T00:00:00.000Z",
          "legacy_version": "4",
          "number": "35",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-18T00:00:00.000Z",
          "legacy_version": "4.1",
          "number": "36",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-19T00:00:00.000Z",
          "legacy_version": "4.2",
          "number": "37",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-20T00:00:00.000Z",
          "legacy_version": "4.3",
          "number": "38",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-21T00:00:00.000Z",
          "legacy_version": "4.4",
          "number": "39",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-22T00:00:00.000Z",
          "legacy_version": "4.5",
          "number": "40",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-23T00:00:00.000Z",
          "legacy_version": "4.6",
          "number": "41",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-24T00:00:00.000Z",
          "legacy_version": "4.7",
          "number": "42",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-25T00:00:00.000Z",
          "legacy_version": "4.8",
          "number": "43",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-26T00:00:00.000Z",
          "legacy_version": "4.9",
          "number": "44",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-05-27T00:00:00.000Z",
          "legacy_version": "5",
          "number": "45",
          "summary": "Added packer to CBL-Mariner 2.0\nAdded packer to Azure Linux 3.0"
        },
        {
          "date": "2025-04-11T00:00:00.000Z",
          "legacy_version": "5",
          "number": "46",
          "summary": "Information published."
        },
        {
          "date": "2025-04-12T00:00:00.000Z",
          "legacy_version": "6",
          "number": "47",
          "summary": "Information published."
        },
        {
          "date": "2025-04-13T00:00:00.000Z",
          "legacy_version": "7",
          "number": "48",
          "summary": "Information published."
        },
        {
          "date": "2025-04-14T00:00:00.000Z",
          "legacy_version": "8",
          "number": "49",
          "summary": "Information published."
        },
        {
          "date": "2025-04-15T00:00:00.000Z",
          "legacy_version": "9",
          "number": "50",
          "summary": "Information published."
        },
        {
          "date": "2026-02-18T01:25:17.000Z",
          "legacy_version": "9.1",
          "number": "51",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "51"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 packer 1.9.5-6",
                "product": {
                  "name": "\u003cazl3 packer 1.9.5-6",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 packer 1.9.5-6",
                "product": {
                  "name": "azl3 packer 1.9.5-6",
                  "product_id": "17759"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 packer 1.9.5-5",
                "product": {
                  "name": "\u003ccbl2 packer 1.9.5-5",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 packer 1.9.5-5",
                "product": {
                  "name": "cbl2 packer 1.9.5-5",
                  "product_id": "19843"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 packer 1.9.5-7",
                "product": {
                  "name": "\u003ccbl2 packer 1.9.5-7",
                  "product_id": "5"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 packer 1.9.5-7",
                "product": {
                  "name": "cbl2 packer 1.9.5-7",
                  "product_id": "19285"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 packer 1.9.5-5",
                "product": {
                  "name": "\u003cazl3 packer 1.9.5-5",
                  "product_id": "4"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 packer 1.9.5-5",
                "product": {
                  "name": "azl3 packer 1.9.5-5",
                  "product_id": "19286"
                }
              }
            ],
            "category": "product_name",
            "name": "packer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 cri-o 1.22.3-14",
                "product": {
                  "name": "\u003ccbl2 cri-o 1.22.3-14",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 cri-o 1.22.3-14",
                "product": {
                  "name": "cbl2 cri-o 1.22.3-14",
                  "product_id": "19777"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 cri-o 1.22.3-13",
                "product": {
                  "name": "\u003ccbl2 cri-o 1.22.3-13",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 cri-o 1.22.3-13",
                "product": {
                  "name": "cbl2 cri-o 1.22.3-13",
                  "product_id": "19287"
                }
              }
            ],
            "category": "product_name",
            "name": "cri-o"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 packer 1.9.5-6 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 packer 1.9.5-6 as a component of Azure Linux 3.0",
          "product_id": "17759-17084"
        },
        "product_reference": "17759",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 packer 1.9.5-5 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 packer 1.9.5-5 as a component of CBL Mariner 2.0",
          "product_id": "19843-17086"
        },
        "product_reference": "19843",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 cri-o 1.22.3-14 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 cri-o 1.22.3-14 as a component of CBL Mariner 2.0",
          "product_id": "19777-17086"
        },
        "product_reference": "19777",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 cri-o 1.22.3-13 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 cri-o 1.22.3-13 as a component of CBL Mariner 2.0",
          "product_id": "19287-17086"
        },
        "product_reference": "19287",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 packer 1.9.5-7 as a component of CBL Mariner 2.0",
          "product_id": "17086-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 packer 1.9.5-7 as a component of CBL Mariner 2.0",
          "product_id": "19285-17086"
        },
        "product_reference": "19285",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 packer 1.9.5-5 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 packer 1.9.5-5 as a component of Azure Linux 3.0",
          "product_id": "19286-17084"
        },
        "product_reference": "19286",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-21614",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "17759-17084",
          "19843-17086",
          "19777-17086",
          "19287-17086",
          "19285-17086",
          "19286-17084"
        ],
        "known_affected": [
          "17084-6",
          "17086-1",
          "17086-2",
          "17086-3",
          "17086-5",
          "17084-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-21614 go-git clients vulnerable to DoS via maliciously crafted Git server replies - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-21614.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-01-16T00:00:00.000Z",
          "details": "1.9.5-5:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-6",
            "17084-4"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2025-01-16T00:00:00.000Z",
          "details": "1.9.5-7:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-1",
            "17086-5"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2025-01-16T00:00:00.000Z",
          "details": "1.22.3-13:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-2",
            "17086-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "17084-6",
            "17086-1",
            "17086-2",
            "17086-3",
            "17086-5",
            "17084-4"
          ]
        }
      ],
      "title": "go-git clients vulnerable to DoS via maliciously crafted Git server replies"
    }
  ]
}

OPENSUSE-SU-2025:0056-1

Vulnerability from csaf_opensuse - Published: 2025-02-07 11:01 - Updated: 2025-02-07 11:01

Summary

Security update for trivy

Severity

Moderate

Notes

Title of the patch: Security update for trivy

Description of the patch: This update for trivy fixes the following issues: Update to version 0.58.2 ( boo#1234512, CVE-2024-45337, boo#1235265, CVE-2024-45338): * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238) * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237) * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215) * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168) * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158) * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156) * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142) * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136) * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135) * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125) * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124) * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122) * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121) * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119) * release: v0.58.0 [main] (#7874) * fix(misconf): wrap AWS EnvVar to iac types (#7407) * chore(deps): Upgrade trivy-checks (#8018) * refactor(misconf): Remove unused options (#7896) * docs: add terminology page to explain Trivy concepts (#7996) * feat: add `workspaceRelationship` (#7889) * refactor(sbom): simplify relationship generation (#7985) * docs: improve databases documentation (#7732) * refactor: remove support for custom Terraform checks (#7901) * docs: drop AWS account scanning (#7997) * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995) * fix(cli): Handle empty ignore files more gracefully (#7962) * fix(misconf): load full Terraform module (#7925) * fix(misconf): properly resolve local Terraform cache (#7983) * refactor(k8s): add v prefix for Go packages (#7839) * test: replace Go checks with Rego (#7867) * feat(misconf): log causes of HCL file parsing errors (#7634) * chore(deps): bump the aws group across 1 directory with 7 updates (#7991) * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990) * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992) * chore: downgrade the failed block expand message to debug (#7964) * fix(misconf): do not erase variable type for child modules (#7941) * feat(go): construct dependencies of `go.mod` main module in the parser (#7977) * feat(go): construct dependencies in the parser (#7973) * feat: add cvss v4 score and vector in scan response (#7968) * docs: add `overview` page for `others` (#7972) * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871) * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965) * chore(deps): bump the common group with 4 updates (#7949) * feat(oracle): add `flavors` support (#7858) * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953) * chore(deps): Bump up trivy-checks to v1.3.0 (#7959) * fix(k8s): check all results for vulnerabilities (#7946) * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945) * feat(secret): Add built-in secrets rules for Private Packagist (#7826) * docs: Fix broken links (#7900) * docs: fix mistakes/typos (#7942) * feat: Update registry fallbacks (#7679) * fix(alpine): add `UID` for removed packages (#7887) * chore(deps): bump the aws group with 6 updates (#7902) * chore(deps): bump the common group with 6 updates (#7904) * fix(debian): infinite loop (#7928) * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912) * docs: add note about temporary podman socket (#7921) * docs: combine trivy.dev into trivy docs (#7884) * test: change branch in spdx schema link to check in integration tests (#7935) * docs: add Headlamp to the Trivy Ecosystem page (#7916) * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898) * chore(k8s): enhance k8s scan log (#6997) * fix(terraform): set null value as fallback for missing variables (#7669) * fix(misconf): handle null properties in CloudFormation templates (#7813) * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882) * chore(deps): bump the common group across 1 directory with 20 updates (#7876) * chore: bump containerd to v2.0.0 (#7875) * fix: Improve version comparisons when build identifiers are present (#7873) * feat(k8s): add default commands for unknown platform (#7863) * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868) * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862) * test: save `containerd` image into archive and use in tests (#7816) * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854) * chore: bump golangci-lint to v1.61.0 (#7853) - Update to version 0.57.1: * release: v0.57.1 [release/v0.57] (#7943) * feat: Update registry fallbacks [backport: release/v0.57] (#7944) * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939) * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940) * release: v0.57.0 [main] (#7710) * chore: lint `errors.Join` (#7845) * feat(db): append errors (#7843) * docs(java): add info about supported scopes (#7842) * docs: add example of creating whitelist of checks (#7821) * chore(deps): Bump trivy-checks (#7819) * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733) * fix(k8s): skip resources without misconfigs (#7797) * fix(sbom): use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811) * fix(cli): add config name to skip-policy-update alias (#7820) * fix(helm): properly handle multiple archived dependencies (#7782) * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776) * fix(k8s)!: support k8s multi container (#7444) * fix(k8s): support kubernetes v1.31 (#7810) * docs: add Windows install instructions (#7800) * ci(helm): auto public Helm chart after PR merged (#7526) * feat: add end of life date for Ubuntu 24.10 (#7787) * feat(report): update gitlab template to populate operating_system value (#7735) * feat(misconf): Show misconfig ID in output (#7762) * feat(misconf): export unresolvable field of IaC types to Rego (#7765) * refactor(k8s): scan config files as a folder (#7690) * fix(license): fix license normalization for Universal Permissive License (#7766) * fix: enable usestdlibvars linter (#7770) * fix(misconf): properly expand dynamic blocks (#7612) * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507) * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602) * refactor(misconf): simplify k8s scanner (#7717) * feat(parser): ignore white space in pom.xml files (#7747) * test: use forked images (#7755) * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541) * fix(misconf): check if property is not nil before conversion (#7578) * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577) * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564) * test: define constants for test images (#7739) * docs: add note about disabled DS016 check (#7724) * feat(misconf): public network support for Azure Storage Account (#7601) * feat(cli): rename `trivy auth` to `trivy registry` (#7727) * docs: apt-transport-https is a transitional package (#7678) * refactor(misconf): introduce generic scanner (#7515) * fix(cli): `clean --all` deletes only relevant dirs (#7704) * feat(cli): add `trivy auth` (#7664) * fix(sbom): add options for DBs in private registries (#7660) * docs(report): fix reporting doc format (#7671) * fix(repo): `git clone` output to Stderr (#7561) * fix(redhat): include arch in PURL qualifiers (#7654) * fix(report): Fix invalid URI in SARIF report (#7645) * docs(report): Improve SARIF reporting doc (#7655) * fix(db): fix javadb downloading error handling (#7642) * feat(cli): error out when ignore file cannot be found (#7624) - Update to version 0.56.2: * release: v0.56.2 [release/v0.56] (#7694) * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702) * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691) - Update to version 0.56.1: * release: v0.56.1 [release/v0.56] (#7648) * fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646) * release: v0.56.0 [main] (#7447) * fix(misconf): not to warn about missing selectors of libraries (#7638) * feat: support RPM archives (#7628) * fix(secret): change grafana token regex to find them without unquoted (#7627) * fix(misconf): Disable deprecated checks by default (#7632) * chore: add prefixes to log messages (#7625) * feat(misconf): Support `--skip-*` for all included modules (#7579) * feat: support multiple DB repositories for vulnerability and Java DB (#7605) * ci: don't use cache for `setup-go` (#7622) * test: use loaded image names (#7617) * feat(java): add empty versions if `pom.xml` dependency versions can't be detected (#7520) * feat(secret): enhance secret scanning for python binary files (#7223) * refactor: fix auth error handling (#7615) * ci: split `save` and `restore` cache actions (#7614) * fix(misconf): disable DS016 check for image history analyzer (#7540) * feat(suse): added SUSE Linux Enterprise Micro support (#7294) * feat(misconf): add ability to disable checks by ID (#7536) * fix(misconf): escape all special sequences (#7558) * test: use a local registry for remote scanning (#7607) * fix: allow access to '..' in mapfs (#7575) * fix(db): check `DownloadedAt` for `trivy-java-db` (#7592) * chore(deps): bump the common group across 1 directory with 20 updates (#7604) * ci: add `workflow_dispatch` trigger for test workflow. (#7606) * ci: cache test images for `integration`, `VM` and `module` tests (#7599) * chore(deps): remove broken replaces for opa and discovery (#7600) * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458) * fix(misconf): Fixed scope for China Cloud (#7560) * perf(misconf): use port ranges instead of enumeration (#7549) * fix(sbom): export bom-ref when converting a package to a component (#7340) * refactor(misconf): pass options to Rego scanner as is (#7529) * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527) * chore(deps): bump go-ebs-file (#7513) * fix(misconf): Fix logging typo (#7473) * feat(misconf): Register checks only when needed (#7435) * refactor: split `.egg` and `packaging` analyzers (#7514) * fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (#7497) * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510) * chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508) * chore(vex): suppress openssl vulnerabilities (#7500) * revert(java): stop supporting of `test` scope for `pom.xml` files (#7488) * docs(db): add a manifest example (#7485) * feat(license): improve license normalization (#7131) * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449) * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463) * fix(report): change a receiver of MarshalJSON (#7483) * fix(oracle): Update EOL date for Oracle 7 (#7480) * chore(deps): bump the aws group with 6 updates (#7468) * chore(deps): bump the common group across 1 directory with 19 updates (#7436) * chore(helm): bump up Trivy Helm chart (#7441) * refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451) * fix(license): stop spliting a long license text (#7336) * release: v0.55.0 [main] (#7271) * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163) * fix(license): add license handling to JUnit template (#7409) * feat(java): add `test` scope support for `pom.xml` files (#7414) * chore(deps): Bump trivy-checks and pin OPA (#7427) * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362) * feat(sbom): set User-Agent header on requests to Rekor (#7396) * test: add integration plugin tests (#7299) * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387) * fix: logger initialization before flags parsing (#7372) * fix(aws): handle ECR repositories in different regions (#6217) * fix(misconf): fix infer type for null value (#7424) * fix(secret): use `.eyJ` keyword for JWT secret (#7410) * fix(misconf): do not recreate filesystem map (#7416) * chore(deps): Bump trivy-checks (#7417) * fix(misconf): do not register Rego libs in checks registry (#7420) * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403) * feat(report): export modified findings in JSON (#7383) * feat(server): Make Trivy Server Multiplexer Exported (#7389) * chore: update CODEOWNERS (#7398) * fix(secret): use only line with secret for long secret lines (#7412) * chore: fix allow rule of ignoring test files to make it case insensitive (#7415) * feat(misconf): port and protocol support for EC2 networks (#7146) * fix(misconf): do not filter Terraform plan JSON by name (#7406) * feat(misconf): support for ignore by nested attributes (#7205) * fix(misconf): use module to log when metadata retrieval fails (#7405) * fix(report): escape `Message` field in `asff.tpl` template (#7401) * feat(misconf): Add support for using spec from on-disk bundle (#7179) * docs: add pkg flags to config file page (#7370) * feat(python): use minimum version for pip packages (#7348) * fix(misconf): support deprecating for Go checks (#7377) * fix(misconf): init frameworks before updating them (#7376) * feat(misconf): ignore duplicate checks (#7317) * refactor(misconf): use slog (#7295) * chore(deps): bump trivy-checks (#7350) * feat(server): add internal `--path-prefix` flag for client/server mode (#7321) * chore(deps): bump the aws group across 1 directory with 7 updates (#7358) * fix: safely check if the directory exists (#7353) * feat(misconf): variable support for Terraform Plan (#7228) * feat(misconf): scanning support for YAML and JSON (#7311) * fix(misconf): wrap Azure PortRange in iac types (#7357) * refactor(misconf): highlight only affected rows (#7310) * fix(misconf): change default TLS values for the Azure storage account (#7345) * chore(deps): bump the common group with 9 updates (#7333) * docs(misconf): Update callsites to use correct naming (#7335) * docs: update air-gapped docs (#7160) * refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323) * perf(misconf): optimize work with context (#6968) * docs: update links to packaging.python.org (#7318) * docs: update client/server docs for misconf and license scanning (#7277) * chore(deps): bump the common group across 1 directory with 7 updates (#7305) * feat(misconf): iterator argument support for dynamic blocks (#7236) * fix(misconf): do not set default value for default_cache_behavior (#7234) * feat(misconf): support for policy and bucket grants (#7284) * fix(misconf): load only submodule if it is specified in source (#7112) * perf(misconf): use json.Valid to check validity of JSON (#7308) * refactor(misconf): remove unused universal scanner (#7293) * perf(misconf): do not convert contents of a YAML file to string (#7292) * fix(terraform): add aws_region name to presets (#7184) * docs: add auto-generated config (#7261) * feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288) * refactor(misconf): remove file filtering from parsers (#7289) * fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281) * fix(java): Return error when trying to find a remote pom to avoid segfault (#7275) * fix(plugin): do not call GitHub content API for releases and tags (#7274) * feat(vm): support the Ext2/Ext3 filesystems (#6983) * feat(cli)!: delete deprecated SBOM flags (#7266) * feat(vm): Support direct filesystem (#7058) - Update to version 0.51.1 (boo#1227010, CVE-2024-3817):

Patchnames: openSUSE-2025-56

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2024-34155

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-34156

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-34158

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-3817

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2024-45337

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-45338

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2025-21613

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-21614

Affected products

Recommended 10 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64	—	Vendor Fix

Threats

Impact important

References

30 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1227010	self
https://bugzilla.suse.com/1234512	self
https://bugzilla.suse.com/1235265	self
https://www.suse.com/security/cve/CVE-2024-34155/	self
https://www.suse.com/security/cve/CVE-2024-34156/	self
https://www.suse.com/security/cve/CVE-2024-34158/	self
https://www.suse.com/security/cve/CVE-2024-3817/	self
https://www.suse.com/security/cve/CVE-2024-45337/	self
https://www.suse.com/security/cve/CVE-2024-45338/	self
https://www.suse.com/security/cve/CVE-2025-21613/	self
https://www.suse.com/security/cve/CVE-2025-21614/	self
https://www.suse.com/security/cve/CVE-2024-34155	external
https://bugzilla.suse.com/1230252	external
https://www.suse.com/security/cve/CVE-2024-34156	external
https://bugzilla.suse.com/1230253	external
https://www.suse.com/security/cve/CVE-2024-34158	external
https://bugzilla.suse.com/1230254	external
https://www.suse.com/security/cve/CVE-2024-3817	external
https://bugzilla.suse.com/1226999	external
https://www.suse.com/security/cve/CVE-2024-45337	external
https://bugzilla.suse.com/1234482	external
https://www.suse.com/security/cve/CVE-2024-45338	external
https://bugzilla.suse.com/1234794	external
https://www.suse.com/security/cve/CVE-2025-21613	external
https://bugzilla.suse.com/1235572	external
https://www.suse.com/security/cve/CVE-2025-21614	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for trivy",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for trivy fixes the following issues:\n\nUpdate to version 0.58.2 (\n\n      boo#1234512, CVE-2024-45337,\n      boo#1235265, CVE-2024-45338):\n\n  * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)\n  * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)\n  * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)\n  * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)\n  * fix(python): skip dev group\u0027s deps for poetry [backport: release/v0.58] (#8158)\n  * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)\n  * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)\n  * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)\n  * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)\n  * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)\n  * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)\n  * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)\n  * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)\n  * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)\n  * release: v0.58.0 [main] (#7874)\n  * fix(misconf): wrap AWS EnvVar to iac types (#7407)\n  * chore(deps): Upgrade trivy-checks (#8018)\n  * refactor(misconf): Remove unused options (#7896)\n  * docs: add terminology page to explain Trivy concepts (#7996)\n  * feat: add `workspaceRelationship` (#7889)\n  * refactor(sbom): simplify relationship generation (#7985)\n  * docs: improve databases documentation (#7732)\n  * refactor: remove support for custom Terraform checks (#7901)\n  * docs: drop AWS account scanning (#7997)\n  * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)\n  * fix(cli): Handle empty ignore files more gracefully (#7962)\n  * fix(misconf): load full Terraform module (#7925)\n  * fix(misconf): properly resolve local Terraform cache (#7983)\n  * refactor(k8s): add v prefix for Go packages (#7839)\n  * test: replace Go checks with Rego (#7867)\n  * feat(misconf): log causes of HCL file parsing errors (#7634)\n  * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)\n  * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)\n  * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)\n  * chore: downgrade the failed block expand message to debug (#7964)\n  * fix(misconf): do not erase variable type for child modules (#7941)\n  * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)\n  * feat(go): construct dependencies in the parser (#7973)\n  * feat: add cvss v4 score and vector in scan response (#7968)\n  * docs: add `overview` page for `others` (#7972)\n  * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)\n  * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)\n  * chore(deps): bump the common group with 4 updates (#7949)\n  * feat(oracle): add `flavors` support (#7858)\n  * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)\n  * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)\n  * fix(k8s): check all results for vulnerabilities (#7946)\n  * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)\n  * feat(secret): Add built-in secrets rules for Private Packagist (#7826)\n  * docs: Fix broken links (#7900)\n  * docs: fix mistakes/typos (#7942)\n  * feat: Update registry fallbacks (#7679)\n  * fix(alpine): add `UID` for removed packages (#7887)\n  * chore(deps): bump the aws group with 6 updates (#7902)\n  * chore(deps): bump the common group with 6 updates (#7904)\n  * fix(debian): infinite loop (#7928)\n  * fix(redhat): don\u0027t return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)\n  * docs: add note about temporary podman socket (#7921)\n  * docs: combine trivy.dev into trivy docs (#7884)\n  * test: change branch in spdx schema link to check in integration tests (#7935)\n  * docs: add Headlamp to the Trivy Ecosystem page (#7916)\n  * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)\n  * chore(k8s): enhance k8s scan log (#6997)\n  * fix(terraform): set null value as fallback for missing variables (#7669)\n  * fix(misconf): handle null properties in CloudFormation templates (#7813)\n  * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)\n  * chore(deps): bump the common group across 1 directory with 20 updates (#7876)\n  * chore: bump containerd to v2.0.0 (#7875)\n  * fix: Improve version comparisons when build identifiers are present (#7873)\n  * feat(k8s): add default commands for unknown platform (#7863)\n  * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)\n  * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)\n  * test: save `containerd` image into archive and use in tests (#7816)\n  * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)\n  * chore: bump golangci-lint to v1.61.0 (#7853)\n\n- Update to version 0.57.1:\n  * release: v0.57.1 [release/v0.57] (#7943)\n  * feat: Update registry fallbacks [backport: release/v0.57] (#7944)\n  * fix(redhat): don\u0027t return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)\n  * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)\n  * release: v0.57.0 [main] (#7710)\n  * chore: lint `errors.Join` (#7845)\n  * feat(db): append errors (#7843)\n  * docs(java): add info about supported scopes (#7842)\n  * docs: add example of creating whitelist of checks (#7821)\n  * chore(deps): Bump trivy-checks (#7819)\n  * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)\n  * fix(k8s): skip resources without misconfigs (#7797)\n  * fix(sbom):  use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)\n  * fix(cli): add config name to skip-policy-update alias (#7820)\n  * fix(helm): properly handle multiple archived dependencies (#7782)\n  * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)\n  * fix(k8s)!: support k8s multi container (#7444)\n  * fix(k8s): support kubernetes v1.31 (#7810)\n  * docs: add Windows install instructions (#7800)\n  * ci(helm): auto public Helm chart after PR merged (#7526)\n  * feat: add end of life date for Ubuntu 24.10 (#7787)\n  * feat(report): update gitlab template to populate operating_system value (#7735)\n  * feat(misconf): Show misconfig ID in output (#7762)\n  * feat(misconf): export unresolvable field of IaC types to Rego (#7765)\n  * refactor(k8s): scan config files as a folder (#7690)\n  * fix(license): fix license normalization for Universal Permissive License (#7766)\n  * fix: enable usestdlibvars linter (#7770)\n  * fix(misconf): properly expand dynamic blocks (#7612)\n  * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)\n  * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)\n  * refactor(misconf): simplify k8s scanner (#7717)\n  * feat(parser): ignore white space in pom.xml files (#7747)\n  * test: use forked images (#7755)\n  * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)\n  * fix(misconf): check if property is not nil before conversion (#7578)\n  * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)\n  * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)\n  * test: define constants for test images (#7739)\n  * docs: add note about disabled DS016 check (#7724)\n  * feat(misconf): public network support for Azure Storage Account (#7601)\n  * feat(cli): rename `trivy auth` to `trivy registry` (#7727)\n  * docs: apt-transport-https is a transitional package (#7678)\n  * refactor(misconf): introduce generic scanner (#7515)\n  * fix(cli): `clean --all` deletes only relevant dirs (#7704)\n  * feat(cli): add `trivy auth` (#7664)\n  * fix(sbom): add options for DBs in private registries (#7660)\n  * docs(report): fix reporting doc format (#7671)\n  * fix(repo): `git clone` output to Stderr (#7561)\n  * fix(redhat): include arch in PURL qualifiers (#7654)\n  * fix(report): Fix invalid URI in SARIF report (#7645)\n  * docs(report): Improve SARIF reporting doc (#7655)\n  * fix(db): fix javadb downloading error handling (#7642)\n  * feat(cli): error out when ignore file cannot be found (#7624)\n\n- Update to version 0.56.2:\n  * release: v0.56.2 [release/v0.56] (#7694)\n  * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)\n  * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)\n\n- Update to version 0.56.1:\n  * release: v0.56.1 [release/v0.56] (#7648)\n  * fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)\n  * release: v0.56.0 [main] (#7447)\n  * fix(misconf): not to warn about missing selectors of libraries (#7638)\n  * feat: support RPM archives (#7628)\n  * fix(secret): change grafana token regex to find them without unquoted (#7627)\n  * fix(misconf): Disable deprecated checks by default (#7632)\n  * chore: add prefixes to log messages (#7625)\n  * feat(misconf): Support `--skip-*` for all included modules  (#7579)\n  * feat: support multiple DB repositories for vulnerability and Java DB (#7605)\n  * ci: don\u0027t use cache for `setup-go` (#7622)\n  * test: use loaded image names (#7617)\n  * feat(java): add empty versions if `pom.xml` dependency versions can\u0027t be detected (#7520)\n  * feat(secret): enhance secret scanning for python binary files (#7223)\n  * refactor: fix auth error handling (#7615)\n  * ci: split `save` and `restore` cache actions (#7614)\n  * fix(misconf): disable DS016 check for image history analyzer (#7540)\n  * feat(suse): added SUSE Linux Enterprise Micro support (#7294)\n  * feat(misconf): add ability to disable checks by ID (#7536)\n  * fix(misconf): escape all special sequences (#7558)\n  * test: use a local registry for remote scanning (#7607)\n  * fix: allow access to \u0027..\u0027 in mapfs (#7575)\n  * fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)\n  * chore(deps): bump the common group across 1 directory with 20 updates (#7604)\n  * ci: add `workflow_dispatch` trigger for test workflow. (#7606)\n  * ci: cache test images for `integration`, `VM` and `module` tests (#7599)\n  * chore(deps): remove broken replaces for opa and discovery (#7600)\n  * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)\n  * fix(misconf): Fixed scope for China Cloud (#7560)\n  * perf(misconf): use port ranges instead of enumeration (#7549)\n  * fix(sbom): export bom-ref when converting a package to a component (#7340)\n  * refactor(misconf): pass options to Rego scanner as is (#7529)\n  * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)\n  * chore(deps): bump go-ebs-file (#7513)\n  * fix(misconf): Fix logging typo (#7473)\n  * feat(misconf): Register checks only when needed (#7435)\n  * refactor: split `.egg` and `packaging` analyzers (#7514)\n  * fix(java): use `dependencyManagement` from root/child pom\u0027s for dependencies from parents (#7497)\n  * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510)\n  * chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)\n  * chore(vex): suppress openssl vulnerabilities (#7500)\n  * revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)\n  * docs(db): add a manifest example (#7485)\n  * feat(license): improve license normalization (#7131)\n  * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)\n  * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)\n  * fix(report): change a receiver of MarshalJSON (#7483)\n  * fix(oracle): Update EOL date for Oracle 7 (#7480)\n  * chore(deps): bump the aws group with 6 updates (#7468)\n  * chore(deps): bump the common group across 1 directory with 19 updates (#7436)\n  * chore(helm): bump up Trivy Helm chart (#7441)\n  * refactor(java): add error/statusCode for logs when we can\u0027t get pom.xml/maven-metadata.xml from remote repo (#7451)\n  * fix(license): stop spliting a long license text (#7336)\n  * release: v0.55.0 [main] (#7271)\n  * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)\n  * fix(license): add license handling to JUnit template (#7409)\n  * feat(java): add `test` scope support for `pom.xml` files (#7414)\n  * chore(deps): Bump trivy-checks and pin OPA (#7427)\n  * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)\n  * feat(sbom): set User-Agent header on requests to Rekor (#7396)\n  * test: add integration plugin tests (#7299)\n  * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)\n  * fix: logger initialization before flags parsing (#7372)\n  * fix(aws): handle ECR repositories in different regions (#6217)\n  * fix(misconf): fix infer type for null value (#7424)\n  * fix(secret): use `.eyJ` keyword for JWT secret (#7410)\n  * fix(misconf): do not recreate filesystem map (#7416)\n  * chore(deps): Bump trivy-checks (#7417)\n  * fix(misconf): do not register Rego libs in checks registry (#7420)\n  * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)\n  * feat(report): export modified findings in JSON (#7383)\n  * feat(server): Make Trivy Server Multiplexer Exported (#7389)\n  * chore: update CODEOWNERS (#7398)\n  * fix(secret): use only line with secret for long secret lines (#7412)\n  * chore: fix allow rule of ignoring test files to make it case insensitive (#7415)\n  * feat(misconf): port and protocol support for EC2 networks (#7146)\n  * fix(misconf): do not filter Terraform plan JSON by name (#7406)\n  * feat(misconf): support for ignore by nested attributes (#7205)\n  * fix(misconf): use module to log when metadata retrieval fails (#7405)\n  * fix(report): escape `Message` field in `asff.tpl` template (#7401)\n  * feat(misconf): Add support for using spec from on-disk bundle (#7179)\n  * docs: add pkg flags to config file page (#7370)\n  * feat(python): use minimum version for pip packages (#7348)\n  * fix(misconf): support deprecating for Go checks (#7377)\n  * fix(misconf): init frameworks before updating them (#7376)\n  * feat(misconf): ignore duplicate checks (#7317)\n  * refactor(misconf): use slog (#7295)\n  * chore(deps): bump trivy-checks (#7350)\n  * feat(server): add internal `--path-prefix` flag for client/server mode (#7321)\n  * chore(deps): bump the aws group across 1 directory with 7 updates (#7358)\n  * fix: safely check if the directory exists (#7353)\n  * feat(misconf): variable support for Terraform Plan (#7228)\n  * feat(misconf): scanning support for YAML and JSON (#7311)\n  * fix(misconf): wrap Azure PortRange in iac types (#7357)\n  * refactor(misconf): highlight only affected rows (#7310)\n  * fix(misconf): change default TLS values for the Azure storage account (#7345)\n  * chore(deps): bump the common group with 9 updates (#7333)\n  * docs(misconf): Update callsites to use correct naming (#7335)\n  * docs: update air-gapped docs (#7160)\n  * refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)\n  * perf(misconf): optimize work with context (#6968)\n  * docs: update links to packaging.python.org (#7318)\n  * docs: update client/server docs for misconf and license scanning (#7277)\n  * chore(deps): bump the common group across 1 directory with 7 updates (#7305)\n  * feat(misconf): iterator argument support for dynamic blocks (#7236)\n  * fix(misconf): do not set default value for default_cache_behavior (#7234)\n  * feat(misconf): support for policy and bucket grants (#7284)\n  * fix(misconf): load only submodule if it is specified in source (#7112)\n  * perf(misconf): use json.Valid to check validity of JSON (#7308)\n  * refactor(misconf): remove unused universal scanner (#7293)\n  * perf(misconf): do not convert contents of a YAML file to string (#7292)\n  * fix(terraform): add aws_region name to presets (#7184)\n  * docs: add auto-generated config (#7261)\n  * feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)\n  * refactor(misconf): remove file filtering from parsers (#7289)\n  * fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)\n  * fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)\n  * fix(plugin): do not call GitHub content API for releases and tags (#7274)\n  * feat(vm): support the Ext2/Ext3 filesystems (#6983)\n  * feat(cli)!: delete deprecated SBOM flags (#7266)\n  * feat(vm): Support direct filesystem (#7058)\n\n- Update to version 0.51.1 (boo#1227010, CVE-2024-3817):",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2025-56",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0056-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:0056-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:0056-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1227010",
        "url": "https://bugzilla.suse.com/1227010"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1234512",
        "url": "https://bugzilla.suse.com/1234512"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1235265",
        "url": "https://bugzilla.suse.com/1235265"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-34155 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-34155/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-34156 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-34156/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-34158 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-34158/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-3817 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-3817/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45337 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45337/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45338 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45338/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-21613 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-21613/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-21614 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-21614/"
      }
    ],
    "title": "Security update for trivy",
    "tracking": {
      "current_release_date": "2025-02-07T11:01:31Z",
      "generator": {
        "date": "2025-02-07T11:01:31Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:0056-1",
      "initial_release_date": "2025-02-07T11:01:31Z",
      "revision_history": [
        {
          "date": "2025-02-07T11:01:31Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.58.2-bp156.2.6.1.aarch64",
                "product": {
                  "name": "trivy-0.58.2-bp156.2.6.1.aarch64",
                  "product_id": "trivy-0.58.2-bp156.2.6.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.58.2-bp156.2.6.1.i586",
                "product": {
                  "name": "trivy-0.58.2-bp156.2.6.1.i586",
                  "product_id": "trivy-0.58.2-bp156.2.6.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.58.2-bp156.2.6.1.ppc64le",
                "product": {
                  "name": "trivy-0.58.2-bp156.2.6.1.ppc64le",
                  "product_id": "trivy-0.58.2-bp156.2.6.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.58.2-bp156.2.6.1.s390x",
                "product": {
                  "name": "trivy-0.58.2-bp156.2.6.1.s390x",
                  "product_id": "trivy-0.58.2-bp156.2.6.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "trivy-0.58.2-bp156.2.6.1.x86_64",
                "product": {
                  "name": "trivy-0.58.2-bp156.2.6.1.x86_64",
                  "product_id": "trivy-0.58.2-bp156.2.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP6",
                "product": {
                  "name": "SUSE Package Hub 15 SP6",
                  "product_id": "SUSE Package Hub 15 SP6"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.aarch64 as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.i586 as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.i586",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.ppc64le as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.s390x as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.x86_64 as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.aarch64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.i586 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.ppc64le as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.s390x as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "trivy-0.58.2-bp156.2.6.1.x86_64 as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        },
        "product_reference": "trivy-0.58.2-bp156.2.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-34155",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-34155"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-34155",
          "url": "https://www.suse.com/security/cve/CVE-2024-34155"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230252 for CVE-2024-34155",
          "url": "https://bugzilla.suse.com/1230252"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-34155"
    },
    {
      "cve": "CVE-2024-34156",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-34156"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-34156",
          "url": "https://www.suse.com/security/cve/CVE-2024-34156"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230253 for CVE-2024-34156",
          "url": "https://bugzilla.suse.com/1230253"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-34156"
    },
    {
      "cve": "CVE-2024-34158",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-34158"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-34158",
          "url": "https://www.suse.com/security/cve/CVE-2024-34158"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230254 for CVE-2024-34158",
          "url": "https://bugzilla.suse.com/1230254"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-34158"
    },
    {
      "cve": "CVE-2024-3817",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-3817"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "HashiCorp\u0027s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-3817",
          "url": "https://www.suse.com/security/cve/CVE-2024-3817"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1226999 for CVE-2024-3817",
          "url": "https://bugzilla.suse.com/1226999"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-3817"
    },
    {
      "cve": "CVE-2024-45337",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45337"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45337",
          "url": "https://www.suse.com/security/cve/CVE-2024-45337"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234482 for CVE-2024-45337",
          "url": "https://bugzilla.suse.com/1234482"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-45337"
    },
    {
      "cve": "CVE-2024-45338",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45338"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45338",
          "url": "https://www.suse.com/security/cve/CVE-2024-45338"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234794 for CVE-2024-45338",
          "url": "https://bugzilla.suse.com/1234794"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45338"
    },
    {
      "cve": "CVE-2025-21613",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-21613"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-21613",
          "url": "https://www.suse.com/security/cve/CVE-2025-21613"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1235572 for CVE-2025-21613",
          "url": "https://bugzilla.suse.com/1235572"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-21613"
    },
    {
      "cve": "CVE-2025-21614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-21614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
          "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
          "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-21614",
          "url": "https://www.suse.com/security/cve/CVE-2025-21614"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.i586",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.s390x",
            "SUSE Package Hub 15 SP6:trivy-0.58.2-bp156.2.6.1.x86_64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.aarch64",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.i586",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.ppc64le",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.s390x",
            "openSUSE Leap 15.6:trivy-0.58.2-bp156.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-07T11:01:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-21614"
    }
  ]
}

OPENSUSE-SU-2025:14624-1

Vulnerability from csaf_opensuse - Published: 2025-01-09 00:00 - Updated: 2025-01-09 00:00

Summary

govulncheck-vulndb-0.0.20250108T191942-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: govulncheck-vulndb-0.0.20250108T191942-1.1 on GA media

Description of the patch: These are all security issues fixed in the govulncheck-vulndb-0.0.20250108T191942-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-14624

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2024-25133

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-28892

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2024-45387

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2024-54148

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2024-55196

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-55947

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-56362

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-56513

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-56514

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2025-21609

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2025-21613

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-21614

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-22130

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

31 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2024-25133/	self
https://www.suse.com/security/cve/CVE-2024-28892/	self
https://www.suse.com/security/cve/CVE-2024-45387/	self
https://www.suse.com/security/cve/CVE-2024-54148/	self
https://www.suse.com/security/cve/CVE-2024-55196/	self
https://www.suse.com/security/cve/CVE-2024-55947/	self
https://www.suse.com/security/cve/CVE-2024-56362/	self
https://www.suse.com/security/cve/CVE-2024-56513/	self
https://www.suse.com/security/cve/CVE-2024-56514/	self
https://www.suse.com/security/cve/CVE-2025-21609/	self
https://www.suse.com/security/cve/CVE-2025-21613/	self
https://www.suse.com/security/cve/CVE-2025-21614/	self
https://www.suse.com/security/cve/CVE-2025-22130/	self
https://www.suse.com/security/cve/CVE-2024-25133	external
https://www.suse.com/security/cve/CVE-2024-28892	external
https://www.suse.com/security/cve/CVE-2024-45387	external
https://www.suse.com/security/cve/CVE-2024-54148	external
https://www.suse.com/security/cve/CVE-2024-55196	external
https://www.suse.com/security/cve/CVE-2024-55947	external
https://www.suse.com/security/cve/CVE-2024-56362	external
https://www.suse.com/security/cve/CVE-2024-56513	external
https://www.suse.com/security/cve/CVE-2024-56514	external
https://www.suse.com/security/cve/CVE-2025-21609	external
https://www.suse.com/security/cve/CVE-2025-21613	external
https://bugzilla.suse.com/1235572	external
https://www.suse.com/security/cve/CVE-2025-21614	external
https://www.suse.com/security/cve/CVE-2025-22130	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "govulncheck-vulndb-0.0.20250108T191942-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250108T191942-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14624",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14624-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14624-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UV63VQGB6Y3V7AIZHIKF3PMFVIHM32MI/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14624-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UV63VQGB6Y3V7AIZHIKF3PMFVIHM32MI/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-25133 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-25133/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-28892 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-28892/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45387 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45387/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-54148 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-54148/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-55196 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-55196/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-55947 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-55947/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-56362 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-56362/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-56513 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-56513/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-56514 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-56514/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-21609 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-21609/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-21613 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-21613/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-21614 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-21614/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22130 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22130/"
      }
    ],
    "title": "govulncheck-vulndb-0.0.20250108T191942-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-09T00:00:00Z",
      "generator": {
        "date": "2025-01-09T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14624-1",
      "initial_release_date": "2025-01-09T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-09T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
                  "product_id": "govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
                  "product_id": "govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
                  "product_id": "govulncheck-vulndb-0.0.20250108T191942-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64",
                  "product_id": "govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-25133",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-25133"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-25133",
          "url": "https://www.suse.com/security/cve/CVE-2024-25133"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-25133"
    },
    {
      "cve": "CVE-2024-28892",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-28892"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-28892",
          "url": "https://www.suse.com/security/cve/CVE-2024-28892"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-28892"
    },
    {
      "cve": "CVE-2024-45387",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45387"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An SQL injection vulnerability in Traffic Ops in Apache Traffic Control \u003c= 8.0.1, \u003e= 8.0.0 allows a privileged user with role \"admin\", \"federation\", \"operations\", \"portal\", or \"steering\" to execute arbitrary SQL against the database by sending a specially-crafted PUT request.\n\nUsers are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45387",
          "url": "https://www.suse.com/security/cve/CVE-2024-45387"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-45387"
    },
    {
      "cve": "CVE-2024-54148",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-54148"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-54148",
          "url": "https://www.suse.com/security/cve/CVE-2024-54148"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-54148"
    },
    {
      "cve": "CVE-2024-55196",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-55196"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-55196",
          "url": "https://www.suse.com/security/cve/CVE-2024-55196"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-55196"
    },
    {
      "cve": "CVE-2024-55947",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-55947"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-55947",
          "url": "https://www.suse.com/security/cve/CVE-2024-55947"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-55947"
    },
    {
      "cve": "CVE-2024-56362",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-56362"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-56362",
          "url": "https://www.suse.com/security/cve/CVE-2024-56362"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-56362"
    },
    {
      "cve": "CVE-2024-56513",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-56513"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-56513",
          "url": "https://www.suse.com/security/cve/CVE-2024-56513"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-56513"
    },
    {
      "cve": "CVE-2024-56514",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-56514"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one\u0027s karmada-operator to one of the fixed versions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-56514",
          "url": "https://www.suse.com/security/cve/CVE-2024-56514"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-56514"
    },
    {
      "cve": "CVE-2025-21609",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-21609"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-21609",
          "url": "https://www.suse.com/security/cve/CVE-2025-21609"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-21609"
    },
    {
      "cve": "CVE-2025-21613",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-21613"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-21613",
          "url": "https://www.suse.com/security/cve/CVE-2025-21613"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1235572 for CVE-2025-21613",
          "url": "https://bugzilla.suse.com/1235572"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-21613"
    },
    {
      "cve": "CVE-2025-21614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-21614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-21614",
          "url": "https://www.suse.com/security/cve/CVE-2025-21614"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-21614"
    },
    {
      "cve": "CVE-2025-22130",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22130"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user\u0027s repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22130",
          "url": "https://www.suse.com/security/cve/CVE-2025-22130"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-09T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-22130"
    }
  ]
}

CVE-2025-21614 (GCVE-0-2025-21614)

Tags

Sightings

Nomenclature

Action not permitted

CVE-2025-21614 (GCVE-0-2025-21614)

Vulnerability from osv_almalinux

Solutions

Solutions

Solutions

Impact

Patches

Workarounds

Credit

Tags

Sightings

Nomenclature