⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Drafts

Create draft to convert the suggestion into a draft security issue that can be edited before publishing.

Dismiss to remove a suggestion from the queue.

CVE-2025-1828
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks ago
  • @LeSuisse accepted as draft 2 weeks, 6 days ago
Perl's Crypt::Random module after 1.05 and before 1.56 may use rand() function for cryptographic functions

Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.

Crypt-Random
<1.56

pkgs.perl536Packages.CryptRandom

Interface to /dev/random and /dev/urandom

pkgs.perl538Packages.CryptRandom

Interface to /dev/random and /dev/urandom

pkgs.perl540Packages.CryptRandom

Interface to /dev/random and /dev/urandom

pkgs.perl536Packages.CryptRandomSeed

Provide strong randomness for seeding

pkgs.perl538Packages.CryptRandomSeed

Provide strong randomness for seeding

pkgs.perl540Packages.CryptRandomSeed

Provide strong randomness for seeding

pkgs.perl536Packages.CryptRandomSource

Get weak or strong random data from pluggable sources

pkgs.perl536Packages.CryptRandomTESHA2

Random numbers using timer/schedule entropy, aka userspace voodoo entropy

pkgs.perl538Packages.CryptRandomSource

Get weak or strong random data from pluggable sources

pkgs.perl540Packages.CryptRandomSource

Get weak or strong random data from pluggable sources
Notify package maintainers: 1
CVE-2025-26466
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 3 weeks, 4 days ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 month ago
  • @fricklerhandwerk removed
    7 packages
    • pkgs.perl540Packages.NetOpenSSH 0.84
    • pkgs.perl538Packages.NetOpenSSH 0.84
    • pkgs.perl536Packages.NetOpenSSH 0.84
    • pkgs.lxqt.lxqt-openssh-askpass 2.0.1
    • pkgs.lxqt.lxqt-openssh-askpass 2.1.0
    • pkgs.openssh_hpnWithKerberos 9.9p1
    • pkgs.opensshWithKerberos 9.9p1
    3 weeks, 4 days ago
  • @fricklerhandwerk accepted as draft 3 weeks, 4 days ago
Openssh: denial-of-service in openssh

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

rhcos
OpenSSH
=<9.9p1
openssh
Notify package maintainers: 5
CVE-2025-0750
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
updated 1 month, 4 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 2 months ago
  • @fricklerhandwerk accepted as draft 1 month, 4 weeks ago
Cri-o: cri-o path traversal in log handling functions allows arbitrary unmounting

A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

cri-o
rhcos
Notify package maintainers: 2
CVE-2024-11218
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @fricklerhandwerk removed
    15 packages
    • pkgs.buildah-unwrapped 1.35.4
    • pkgs.buildah-unwrapped 1.38.0
    • pkgs.nomad-driver-podman 0.5.2
    • pkgs.nomad-driver-podman 0.6.1
    • pkgs.nvidia-podman
    • pkgs.podman-compose 1.1.0
    • pkgs.podman-compose 1.2.0
    • pkgs.podman-desktop 0.12.0
    • pkgs.podman-desktop 1.13.2
    • pkgs.python311Packages.podman 5.0.0
    • pkgs.python311Packages.podman 5.2.0
    • pkgs.python311Packages.podman 5.3.0
    • pkgs.python312Packages.podman 5.0.0
    • pkgs.python312Packages.podman 5.2.0
    • pkgs.python312Packages.podman 5.3.0
    2 months, 1 week ago
  • @fricklerhandwerk accepted as draft 2 months, 1 week ago
Podman: buildah: container breakout by using --jobs=2 and a race condition when building a malicious containerfile

A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

rhcos
podman
buildah
container-tools:rhel8/podman
container-tools:rhel8/buildah
Notify package maintainers: 3
CVE-2024-0406
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted as draft 2 months, 1 week ago
Mholt/archiver: path traversal vulnerability

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

archiver
*
*
openshift4/oc-mirror-plugin-rhel8
advanced-cluster-security/rhacs-main-rhel8
advanced-cluster-security/rhacs-roxctl-rhel8
advanced-cluster-security/rhacs-scanner-rhel8

pkgs.python311Packages.nskeyedunarchiver

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver

Unserializes plist data into a usable Python dict
Notify package maintainers: 7
CVE-2024-12084
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @LeSuisse removed
    16 packages
    • pkgs.emacsPackages.dired-rsync-transient 20230714.1459
    • pkgs.python312Packages.vdirsyncer 0.19.2
    • pkgs.python312Packages.vdirsyncer 0.19.3
    • pkgs.python311Packages.vdirsyncer 0.19.2
    • pkgs.python311Packages.vdirsyncer 0.19.3
    • pkgs.python312Packages.sysrsync 1.1.1
    • pkgs.python311Packages.sysrsync 1.1.1
    • pkgs.diskrsync 1.3.0
    • pkgs.emacsPackages.dired-rsync 20230822.1350
    • pkgs.emacsPackages.rsync-mode 20210911.0
    • pkgs.rrsync 3.3.0
    • pkgs.librsync 2.3.4
    • pkgs.grsync 1.3.1
    • pkgs.openrsync 2022-05-08
    • pkgs.vdirsyncer 0.19.2
    • pkgs.vdirsyncer 0.19.3
    2 months, 1 week ago
  • @LeSuisse accepted as draft 2 months, 1 week ago
Rsync: heap buffer overflow in rsync due to improper checksum length handling

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

rhcos
rsync
==3.2.7
==3.3.0
Notify package maintainers: 3
CVE-2025-23884
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @Erethon dismissed 2 months, 1 week ago
  • @Erethon accepted as draft 2 months, 1 week ago
WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

annie
=<2.1.1
Notify package maintainers: 1
CVE-2025-23760
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 2 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @Erethon accepted as draft 2 months, 1 week ago
  • @Erethon dismissed 2 months, 1 week ago
  • @Erethon accepted as draft 2 months, 1 week ago
WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.

chatter
=<1.0.1
Notify package maintainers: 3
CVE-2025-0502
updated 2 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @Erethon accepted as draft 2 months, 1 week ago
Transmission of Private Resources into a New Sphere in Crafter Engine

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Engine
<4.1.6
<4.0.8

pkgs.perl536Packages.XMLXPathEngine

A re-usable XPath engine for DOM-like trees

pkgs.perl538Packages.XMLXPathEngine

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine

Re-usable XPath engine for DOM-like trees

pkgs.perl536Packages.ZonemasterEngine

A tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine

Tool to check the quality of a DNS zone
CVE-2024-10270
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    3 packages
    • pkgs.terraform-providers.keycloak 4.4.0
    • pkgs.python311Packages.python-keycloak 4.0.0
    • pkgs.python312Packages.python-keycloak 4.0.0
    3 months, 2 weeks ago
  • @LeSuisse accepted as draft 3 months, 2 weeks ago
Org.keycloak:keycloak-services: keycloak denial of service

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

keycloak
<24.0.9
<26.0.6
rhbk/keycloak-rhel9
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
org.keycloak/keycloak-services

pkgs.keycloak

Identity and access management for modern applications and services
Notify package maintainers: 3