Описание
Security update for govulncheck-vulndb
This update for govulncheck-vulndb fixes the following issues:
-
Update to version 0.0.20241104T154416 2024-11-04T15:44:16Z. Refs jsc#PED-11136 Go CVE Numbering Authority IDs added or updated with aliases:
- GO-2024-3233 CVE-2024-46872 GHSA-762g-9p7f-mrww
- GO-2024-3234 CVE-2024-47401 GHSA-762v-rq7q-ff97
- GO-2024-3235 CVE-2024-50052 GHSA-g376-m3h3-mj4r
- GO-2024-3237 CVE-2024-0133 GHSA-f748-7hpg-88ch
- GO-2024-3239 CVE-2024-0132 GHSA-mjjw-553x-87pq
- GO-2024-3240 CVE-2024-10452 GHSA-66c4-2g2v-54qw
- GO-2024-3241 CVE-2024-10006 GHSA-5c4w-8hhh-3c3h
- GO-2024-3242 CVE-2024-10086 GHSA-99wr-c2px-grmh
- GO-2024-3243 CVE-2024-10005 GHSA-chgm-7r52-whjj
-
Update to version 0.0.20241101T215616 2024-11-01T21:56:16Z. Refs jsc#PED-11136 Go CVE Numbering Authority IDs added or updated with aliases:
- GO-2024-3244 CVE-2024-50354 GHSA-cph5-3pgr-c82g
- GO-2024-3245 CVE-2024-39720
- GO-2024-3246 CVE-2024-8185 GHSA-g233-2p4r-3q7v
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP5
SUSE Linux Enterprise Module for Package Hub 15 SP6
openSUSE Leap 15.5
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2024:3950-1
- E-Mail link for SUSE-SU-2024:3950-1
- SUSE Security Ratings
- SUSE CVE CVE-2024-0132 page
- SUSE CVE CVE-2024-0133 page
- SUSE CVE CVE-2024-10005 page
- SUSE CVE CVE-2024-10006 page
- SUSE CVE CVE-2024-10086 page
- SUSE CVE CVE-2024-10452 page
- SUSE CVE CVE-2024-39720 page
- SUSE CVE CVE-2024-46872 page
- SUSE CVE CVE-2024-47401 page
- SUSE CVE CVE-2024-50052 page
- SUSE CVE CVE-2024-50354 page
- SUSE CVE CVE-2024-8185 page
Описание
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0132
- SUSE Bug 1231033
Описание
NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.
Затронутые продукты
Ссылки
- CVE-2024-0133
- SUSE Bug 1231032
Описание
A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
Затронутые продукты
Ссылки
- CVE-2024-10005
Описание
A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
Затронутые продукты
Ссылки
- CVE-2024-10006
Описание
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
Затронутые продукты
Ссылки
- CVE-2024-10086
Описание
Organization admins can delete pending invites created in an organization they are not part of.
Затронутые продукты
Ссылки
- CVE-2024-10452
- SUSE Bug 1232569
Описание
An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom magic header. By leveraging a custom Modelfile that includes a FROM statement pointing to the attacker-controlled blob file, the attacker can crash the application through the CreateModel route, leading to a segmentation fault (signal SIGSEGV: segmentation violation).
Затронутые продукты
Ссылки
- CVE-2024-39720
- SUSE Bug 1232794
Описание
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
Затронутые продукты
Ссылки
- CVE-2024-46872
Описание
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks.
Затронутые продукты
Ссылки
- CVE-2024-47401
Описание
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
Затронутые продукты
Ссылки
- CVE-2024-50052
Описание
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of memory.
Затронутые продукты
Ссылки
- CVE-2024-50354
Описание
Vault Community and Vault Enterprise ("Vault") clusters using Vault's Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
Затронутые продукты
Ссылки
- CVE-2024-8185
- SUSE Bug 1232752