govulncheck-vulndb-0.0.20250108T191942-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15686 Final 1 1 2025-01-09T00:00:00Z current 2025-01-09T00:00:00Z 2025-01-09T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250108T191942-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250108T191942-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15686 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-25133/ SUSE CVE CVE-2024-25133 page https://www.suse.com/security/cve/CVE-2024-28892/ SUSE CVE CVE-2024-28892 page https://www.suse.com/security/cve/CVE-2024-45387/ SUSE CVE CVE-2024-45387 page https://www.suse.com/security/cve/CVE-2024-54148/ SUSE CVE CVE-2024-54148 page https://www.suse.com/security/cve/CVE-2024-55196/ SUSE CVE CVE-2024-55196 page https://www.suse.com/security/cve/CVE-2024-55947/ SUSE CVE CVE-2024-55947 page https://www.suse.com/security/cve/CVE-2024-56362/ SUSE CVE CVE-2024-56362 page https://www.suse.com/security/cve/CVE-2024-56513/ SUSE CVE CVE-2024-56513 page https://www.suse.com/security/cve/CVE-2024-56514/ SUSE CVE CVE-2024-56514 page https://www.suse.com/security/cve/CVE-2025-21609/ SUSE CVE CVE-2025-21609 page https://www.suse.com/security/cve/CVE-2025-21613/ SUSE CVE CVE-2025-21613 page https://www.suse.com/security/cve/CVE-2025-21614/ SUSE CVE CVE-2025-21614 page https://www.suse.com/security/cve/CVE-2025-22130/ SUSE CVE CVE-2025-22130 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250108T191942-1.1 govulncheck-vulndb-0.0.20250108T191942-1.1 as a component of openSUSE Tumbleweed A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod. CVE-2024-25133 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-25133.html CVE-2024-25133 An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. CVE-2024-28892 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-28892.html CVE-2024-28892 An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops. CVE-2024-45387 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45387.html CVE-2024-45387 Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. CVE-2024-54148 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-54148.html CVE-2024-54148 Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. CVE-2024-55196 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55196.html CVE-2024-55196 Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. CVE-2024-55947 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-55947.html CVE-2024-55947 Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1. CVE-2024-56362 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-56362.html CVE-2024-56362 Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs. CVE-2024-56513 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-56513.html CVE-2024-56513 Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions. CVE-2024-56514 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-56514.html CVE-2024-56514 SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19. CVE-2025-21609 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-21609.html CVE-2025-21609 go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. CVE-2025-21613 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-21613.html CVE-2025-21613 https://bugzilla.suse.com/1235572 SUSE Bug 1235572 go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. CVE-2025-21614 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-21614.html CVE-2025-21614 Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. This is patched in v0.8.2. CVE-2025-22130 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22130.html CVE-2025-22130