⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Drafts

Create draft to convert the suggestion into a draft security issue that can be edited before publishing.

Dismiss to remove a suggestion from the queue.

CVE-2024-11218
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 7 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 7 months ago
  • @fricklerhandwerk accepted as draft 7 months ago
Podman: buildah: container breakout by using --jobs=2 and a race condition when building a malicious containerfile

A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

rhcos
*
podman
*
buildah
<1.35.5
<1.37.6
<1.38.1
<1.33.12
*
container-tools:rhel8
*
container-tools:rhel8/podman
container-tools:rhel8/buildah

pkgs.podman

Program for managing pods, containers and container images

pkgs.buildah

Tool which facilitates building OCI images

pkgs.podman-tui

Podman Terminal UI
Package maintainers: 3
CVE-2024-0406
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 7 months ago by @LeSuisse Activity log
  • Created automatic suggestion 7 months, 2 weeks ago
  • @LeSuisse accepted as draft 7 months ago
Mholt/archiver: path traversal vulnerability

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

archiver
*
*
openshift4/oc-mirror-plugin-rhel8
openshift4/oc-mirror-plugin-rhel9
*
advanced-cluster-security/rhacs-main-rhel8
advanced-cluster-security/rhacs-roxctl-rhel8
advanced-cluster-security/rhacs-scanner-rhel8

pkgs.archiver

Easily create & extract archives, and compress & decompress files of various formats

pkgs.xarchiver

GTK frontend to 7z,zip,rar,tar,bzip2, gzip,arj, lha, rpm and deb (open and extract only)

pkgs.fsarchiver

File system archiver for linux

pkgs.lxqt.lxqt-archiver

Archive tool for the LXQt desktop environment

pkgs.CuboCore.corearchiver

Archiver from the C Suite to create and extract archives

pkgs.wayback-machine-archiver

Python script to submit web pages to the Wayback Machine for archiving

pkgs.python311Packages.nskeyedunarchiver

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.x86_64-linux

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.aarch64-linux

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.x86_64-darwin

Unserializes plist data into a usable Python dict

pkgs.python312Packages.nskeyedunarchiver.aarch64-darwin

Unserializes plist data into a usable Python dict
Package maintainers: 7
CVE-2024-12084
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 7 months ago by @LeSuisse Activity log
  • Created automatic suggestion 7 months, 1 week ago
  • @LeSuisse accepted as draft 7 months ago
Rsync: heap buffer overflow in rsync due to improper checksum length handling

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

rhcos
rsync
*
==3.3.0
==3.2.7

pkgs.rsync

Fast incremental file transfer utility

pkgs.rsync.x86_64-linux

Fast incremental file transfer utility

pkgs.rsync.aarch64-linux

Fast incremental file transfer utility

pkgs.rsync.x86_64-darwin

Fast incremental file transfer utility

pkgs.rsync.aarch64-darwin

Fast incremental file transfer utility
Package maintainers: 3
CVE-2025-23884
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 7 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 7 months, 1 week ago
  • @Erethon dismissed 7 months, 1 week ago
  • @Erethon accepted as draft 7 months, 1 week ago
WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

annie
=<2.1.1

pkgs.wannier90

Calculation of maximally localised Wannier functions
Package maintainers: 1
CVE-2025-23760
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 7 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 7 months, 1 week ago
  • @Erethon accepted as draft 7 months, 1 week ago
  • @Erethon dismissed 7 months, 1 week ago
  • @Erethon accepted as draft 7 months, 1 week ago
WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.

chatter
=<1.0.1

pkgs.chatterino2

Chat client for Twitch chat

pkgs.haskellPackages.chatter

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.x86_64-linux

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.aarch64-linux

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.x86_64-darwin

A library of simple NLP algorithms

pkgs.haskellPackages.chatter.aarch64-darwin

A library of simple NLP algorithms
Package maintainers: 3
CVE-2025-0502
updated 7 months, 1 week ago by @Erethon Activity log
  • Created automatic suggestion 7 months, 1 week ago
  • @Erethon accepted as draft 7 months, 1 week ago
Transmission of Private Resources into a New Sphere in Crafter Engine

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Engine
<4.0.8
<4.1.6

pkgs.haskellPackages.Control-Engine

A parallel producer/consumer engine (thread pool)

pkgs.perl538Packages.XMLXPathEngine

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine

Re-usable XPath engine for DOM-like trees

pkgs.perl538Packages.ZonemasterEngine

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine

Tool to check the quality of a DNS zone

pkgs.perl540Packages.XMLXPathEngine.x86_64-linux

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine.aarch64-linux

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine.x86_64-darwin

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.XMLXPathEngine.aarch64-darwin

Re-usable XPath engine for DOM-like trees

pkgs.perl540Packages.ZonemasterEngine.x86_64-linux

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine.aarch64-linux

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine.x86_64-darwin

Tool to check the quality of a DNS zone

pkgs.perl540Packages.ZonemasterEngine.aarch64-darwin

Tool to check the quality of a DNS zone
CVE-2024-10270
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 8 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted as draft 8 months, 2 weeks ago
Org.keycloak:keycloak-services: keycloak denial of service

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

keycloak
<26.0.6
<24.0.9
rhbk/keycloak-rhel9
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
org.keycloak/keycloak-services
CVE-2024-9979
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 8 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted as draft 8 months, 2 weeks ago
Pyo3: risk of use-after-free in `borrowed` reads from python weak references

A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.

pyo3
<0.22.4
python3.11-nh3
python3.11-rpds-py
python3.11-cryptography
python3.12-cryptography
Package maintainers: 1
CVE-2023-6717
6.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 8 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted as draft 8 months, 2 weeks ago
Keycloak: xss via assertion consumer service url in saml post-binding flow

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

keycloak
<24.0.3
<22.0.10
mta/mta-ui-rhel8
mta/mta-ui-rhel9
rh-sso7-keycloak
rhdh-hub-container
rhbk/keycloak-rhel9
*
rhdh/rhdh-hub-rhel9
org.keycloak/keycloak-core
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
openshift-gitops-1/gitops-rhel8-operator
openshift-serverless-1/logic-rhel8-operator
*
openshift-serverless-1/logic-operator-bundle
*
openshift-serverless-1/logic-swf-builder-rhel8
*
openshift-serverless-1/logic-swf-devmode-rhel8
*
openshift-serverless-1-logic-rhel8-operator-container
*
openshift-serverless-1/logic-data-index-ephemeral-rhel8
*
openshift-serverless-1-logic-swf-builder-rhel8-container
*
openshift-serverless-1-logic-swf-devmode-rhel8-container
*
openshift-serverless-1/logic-data-index-postgresql-rhel8
*
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
*
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
*
openshift-serverless-1-logic-rhel8-operator-bundle-container
*
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
*
openshift-serverless-1-logic-data-index-ephemeral-rhel8-container
*
openshift-serverless-1-logic-data-index-postgresql-rhel8-container
*
openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container
*
openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container
*
openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container
*

pkgs.keycloak

Identity and access management for modern applications and services
Package maintainers: 3
CVE-2023-6291
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 8 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 8 months, 2 weeks ago
  • @LeSuisse accepted as draft 8 months, 2 weeks ago
Keycloak: redirect_uri validation bypass

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

keycloak
rh-sso7-keycloak
*
rhbk/keycloak-rhel9
*
org.keycloak/keycloak-core
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
rh-sso-7/sso76-openshift-rhel8
*
rh-sso-7/sso7-rhel8-operator-bundle
*

pkgs.keycloak

Identity and access management for modern applications and services
Package maintainers: 3