go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS)     vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to     perform denial of service attacks by providing specially crafted responses from a Git server which     triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are     recommended to upgrade to v5.13 in order to mitigate this vulnerability. (CVE-2025-21614)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:0401 advisory.

    * go-git: argument injection via the URL field (CVE-2025-21613)

    * go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (CVE-2025-21614)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of packer installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-21614 advisory.

  - go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS)     vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to     perform denial of service attacks by providing specially crafted responses from a Git server which     triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are     recommended to upgrade to v5.13 in order to mitigate this vulnerability. (CVE-2025-21614)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2025:0056-1 advisory.

    Update to version 0.58.2 (

          boo#1234512, CVE-2024-45337,           boo#1235265, CVE-2024-45338):

      * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
      * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58]     (#8237)
      * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport:
    release/v0.58] (#8215)
      * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
      * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
      * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
      * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
      * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport:
    release/v0.58] (#8136)
      * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58]     (#8135)
      * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
      * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same     app type [backport: release/v0.58] (#8124)
      * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
      * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
      * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props     [backport: release/v0.58] (#8119)
      * release: v0.58.0 [main] (#7874)
      * fix(misconf): wrap AWS EnvVar to iac types (#7407)
      * chore(deps): Upgrade trivy-checks (#8018)
      * refactor(misconf): Remove unused options (#7896)
      * docs: add terminology page to explain Trivy concepts (#7996)
      * feat: add `workspaceRelationship` (#7889)
      * refactor(sbom): simplify relationship generation (#7985)
      * docs: improve databases documentation (#7732)
      * refactor: remove support for custom Terraform checks (#7901)
      * docs: drop AWS account scanning (#7997)
      * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
      * fix(cli): Handle empty ignore files more gracefully (#7962)
      * fix(misconf): load full Terraform module (#7925)
      * fix(misconf): properly resolve local Terraform cache (#7983)
      * refactor(k8s): add v prefix for Go packages (#7839)
      * test: replace Go checks with Rego (#7867)
      * feat(misconf): log causes of HCL file parsing errors (#7634)
      * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
      * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1     directory (#7990)
      * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
      * chore: downgrade the failed block expand message to debug (#7964)
      * fix(misconf): do not erase variable type for child modules (#7941)
      * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
      * feat(go): construct dependencies in the parser (#7973)
      * feat: add cvss v4 score and vector in scan response (#7968)
      * docs: add `overview` page for `others` (#7972)
      * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
      * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
      * chore(deps): bump the common group with 4 updates (#7949)
      * feat(oracle): add `flavors` support (#7858)
      * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
      * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
      * fix(k8s): check all results for vulnerabilities (#7946)
      * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
      * feat(secret): Add built-in secrets rules for Private Packagist (#7826)
      * docs: Fix broken links (#7900)
      * docs: fix mistakes/typos (#7942)
      * feat: Update registry fallbacks (#7679)
      * fix(alpine): add `UID` for removed packages (#7887)
      * chore(deps): bump the aws group with 6 updates (#7902)
      * chore(deps): bump the common group with 6 updates (#7904)
      * fix(debian): infinite loop (#7928)
      * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not     `contentSets` files (#7912)
      * docs: add note about temporary podman socket (#7921)
      * docs: combine trivy.dev into trivy docs (#7884)
      * test: change branch in spdx schema link to check in integration tests (#7935)
      * docs: add Headlamp to the Trivy Ecosystem page (#7916)
      * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)
      * chore(k8s): enhance k8s scan log (#6997)
      * fix(terraform): set null value as fallback for missing variables (#7669)
      * fix(misconf): handle null properties in CloudFormation templates (#7813)
      * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
      * chore(deps): bump the common group across 1 directory with 20 updates (#7876)
      * chore: bump containerd to v2.0.0 (#7875)
      * fix: Improve version comparisons when build identifiers are present (#7873)
      * feat(k8s): add default commands for unknown platform (#7863)
      * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
      * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
      * test: save `containerd` image into archive and use in tests (#7816)
      * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
      * chore: bump golangci-lint to v1.61.0 (#7853)

    - Update to version 0.57.1:
      * release: v0.57.1 [release/v0.57] (#7943)
      * feat: Update registry fallbacks [backport: release/v0.57] (#7944)
      * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not     `contentSets` files [backport: release/v0.57] (#7939)
      * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57]     (#7940)
      * release: v0.57.0 [main] (#7710)
      * chore: lint `errors.Join` (#7845)
      * feat(db): append errors (#7843)
      * docs(java): add info about supported scopes (#7842)
      * docs: add example of creating whitelist of checks (#7821)
      * chore(deps): Bump trivy-checks (#7819)
      * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
      * fix(k8s): skip resources without misconfigs (#7797)
      * fix(sbom):  use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
      * fix(cli): add config name to skip-policy-update alias (#7820)
      * fix(helm): properly handle multiple archived dependencies (#7782)
      * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
      * fix(k8s)!: support k8s multi container (#7444)
      * fix(k8s): support kubernetes v1.31 (#7810)
      * docs: add Windows install instructions (#7800)
      * ci(helm): auto public Helm chart after PR merged (#7526)
      * feat: add end of life date for Ubuntu 24.10 (#7787)
      * feat(report): update gitlab template to populate operating_system value (#7735)
      * feat(misconf): Show misconfig ID in output (#7762)
      * feat(misconf): export unresolvable field of IaC types to Rego (#7765)
      * refactor(k8s): scan config files as a folder (#7690)
      * fix(license): fix license normalization for Universal Permissive License (#7766)
      * fix: enable usestdlibvars linter (#7770)
      * fix(misconf): properly expand dynamic blocks (#7612)
      * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
      * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
      * refactor(misconf): simplify k8s scanner (#7717)
      * feat(parser): ignore white space in pom.xml files (#7747)
      * test: use forked images (#7755)
      * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies`     into parents (#7541)
      * fix(misconf): check if property is not nil before conversion (#7578)
      * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
      * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
      * test: define constants for test images (#7739)
      * docs: add note about disabled DS016 check (#7724)
      * feat(misconf): public network support for Azure Storage Account (#7601)
      * feat(cli): rename `trivy auth` to `trivy registry` (#7727)
      * docs: apt-transport-https is a transitional package (#7678)
      * refactor(misconf): introduce generic scanner (#7515)
      * fix(cli): `clean --all` deletes only relevant dirs (#7704)
      * feat(cli): add `trivy auth` (#7664)
      * fix(sbom): add options for DBs in private registries (#7660)
      * docs(report): fix reporting doc format (#7671)
      * fix(repo): `git clone` output to Stderr (#7561)
      * fix(redhat): include arch in PURL qualifiers (#7654)
      * fix(report): Fix invalid URI in SARIF report (#7645)
      * docs(report): Improve SARIF reporting doc (#7655)
      * fix(db): fix javadb downloading error handling (#7642)
      * feat(cli): error out when ignore file cannot be found (#7624)

    - Update to version 0.56.2:
      * release: v0.56.2 [release/v0.56] (#7694)
      * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
      * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)

    - Update to version 0.56.1:
      * release: v0.56.1 [release/v0.56] (#7648)
      * fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)
      * release: v0.56.0 [main] (#7447)
      * fix(misconf): not to warn about missing selectors of libraries (#7638)
      * feat: support RPM archives (#7628)
      * fix(secret): change grafana token regex to find them without unquoted (#7627)
      * fix(misconf): Disable deprecated checks by default (#7632)
      * chore: add prefixes to log messages (#7625)
      * feat(misconf): Support `--skip-*` for all included modules  (#7579)
      * feat: support multiple DB repositories for vulnerability and Java DB (#7605)
      * ci: don't use cache for `setup-go` (#7622)
      * test: use loaded image names (#7617)
      * feat(java): add empty versions if `pom.xml` dependency versions can't be detected (#7520)
      * feat(secret): enhance secret scanning for python binary files (#7223)
      * refactor: fix auth error handling (#7615)
      * ci: split `save` and `restore` cache actions (#7614)
      * fix(misconf): disable DS016 check for image history analyzer (#7540)
      * feat(suse): added SUSE Linux Enterprise Micro support (#7294)
      * feat(misconf): add ability to disable checks by ID (#7536)
      * fix(misconf): escape all special sequences (#7558)
      * test: use a local registry for remote scanning (#7607)
      * fix: allow access to '..' in mapfs (#7575)
      * fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)
      * chore(deps): bump the common group across 1 directory with 20 updates (#7604)
      * ci: add `workflow_dispatch` trigger for test workflow. (#7606)
      * ci: cache test images for `integration`, `VM` and `module` tests (#7599)
      * chore(deps): remove broken replaces for opa and discovery (#7600)
      * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)
      * fix(misconf): Fixed scope for China Cloud (#7560)
      * perf(misconf): use port ranges instead of enumeration (#7549)
      * fix(sbom): export bom-ref when converting a package to a component (#7340)
      * refactor(misconf): pass options to Rego scanner as is (#7529)
      * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)
      * chore(deps): bump go-ebs-file (#7513)
      * fix(misconf): Fix logging typo (#7473)
      * feat(misconf): Register checks only when needed (#7435)
      * refactor: split `.egg` and `packaging` analyzers (#7514)
      * fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (#7497)
      * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json`     (#7510)
      * chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)
      * chore(vex): suppress openssl vulnerabilities (#7500)
      * revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)
      * docs(db): add a manifest example (#7485)
      * feat(license): improve license normalization (#7131)
      * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)
      * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)
      * fix(report): change a receiver of MarshalJSON (#7483)
      * fix(oracle): Update EOL date for Oracle 7 (#7480)
      * chore(deps): bump the aws group with 6 updates (#7468)
      * chore(deps): bump the common group across 1 directory with 19 updates (#7436)
      * chore(helm): bump up Trivy Helm chart (#7441)
      * refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote     repo (#7451)
      * fix(license): stop spliting a long license text (#7336)
      * release: v0.55.0 [main] (#7271)
      * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)
      * fix(license): add license handling to JUnit template (#7409)
      * feat(java): add `test` scope support for `pom.xml` files (#7414)
      * chore(deps): Bump trivy-checks and pin OPA (#7427)
      * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)
      * feat(sbom): set User-Agent header on requests to Rekor (#7396)
      * test: add integration plugin tests (#7299)
      * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)
      * fix: logger initialization before flags parsing (#7372)
      * fix(aws): handle ECR repositories in different regions (#6217)
      * fix(misconf): fix infer type for null value (#7424)
      * fix(secret): use `.eyJ` keyword for JWT secret (#7410)
      * fix(misconf): do not recreate filesystem map (#7416)
      * chore(deps): Bump trivy-checks (#7417)
      * fix(misconf): do not register Rego libs in checks registry (#7420)
      * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)
      * feat(report): export modified findings in JSON (#7383)
      * feat(server): Make Trivy Server Multiplexer Exported (#7389)
      * chore: update CODEOWNERS (#7398)
      * fix(secret): use only line with secret for long secret lines (#7412)
      * chore: fix allow rule of ignoring test files to make it case insensitive (#7415)
      * feat(misconf): port and protocol support for EC2 networks (#7146)
      * fix(misconf): do not filter Terraform plan JSON by name (#7406)
      * feat(misconf): support for ignore by nested attributes (#7205)
      * fix(misconf): use module to log when metadata retrieval fails (#7405)
      * fix(report): escape `Message` field in `asff.tpl` template (#7401)
      * feat(misconf): Add support for using spec from on-disk bundle (#7179)
      * docs: add pkg flags to config file page (#7370)
      * feat(python): use minimum version for pip packages (#7348)
      * fix(misconf): support deprecating for Go checks (#7377)
      * fix(misconf): init frameworks before updating them (#7376)
      * feat(misconf): ignore duplicate checks (#7317)
      * refactor(misconf): use slog (#7295)
      * chore(deps): bump trivy-checks (#7350)
      * feat(server): add internal `--path-prefix` flag for client/server mode (#7321)
      * chore(deps): bump the aws group across 1 directory with 7 updates (#7358)
      * fix: safely check if the directory exists (#7353)
      * feat(misconf): variable support for Terraform Plan (#7228)
      * feat(misconf): scanning support for YAML and JSON (#7311)
      * fix(misconf): wrap Azure PortRange in iac types (#7357)
      * refactor(misconf): highlight only affected rows (#7310)
      * fix(misconf): change default TLS values for the Azure storage account (#7345)
      * chore(deps): bump the common group with 9 updates (#7333)
      * docs(misconf): Update callsites to use correct naming (#7335)
      * docs: update air-gapped docs (#7160)
      * refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)
      * perf(misconf): optimize work with context (#6968)
      * docs: update links to packaging.python.org (#7318)
      * docs: update client/server docs for misconf and license scanning (#7277)
      * chore(deps): bump the common group across 1 directory with 7 updates (#7305)
      * feat(misconf): iterator argument support for dynamic blocks (#7236)
      * fix(misconf): do not set default value for default_cache_behavior (#7234)
      * feat(misconf): support for policy and bucket grants (#7284)
      * fix(misconf): load only submodule if it is specified in source (#7112)
      * perf(misconf): use json.Valid to check validity of JSON (#7308)
      * refactor(misconf): remove unused universal scanner (#7293)
      * perf(misconf): do not convert contents of a YAML file to string (#7292)
      * fix(terraform): add aws_region name to presets (#7184)
      * docs: add auto-generated config (#7261)
      * feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)
      * refactor(misconf): remove file filtering from parsers (#7289)
      * fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)
      * fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)
      * fix(plugin): do not call GitHub content API for releases and tags (#7274)
      * feat(vm): support the Ext2/Ext3 filesystems (#6983)
      * feat(cli)!: delete deprecated SBOM flags (#7266)
      * feat(vm): Support direct filesystem (#7058)

    - Update to version 0.51.1 (boo#1227010, CVE-2024-3817):

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-824 advisory.

    go-git is a highly extensible git implementation library written in pure Go. An argument injection     vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this     vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens     when the file transport protocol is being used, as that is the only protocol that shells out to git     binaries. This vulnerability is fixed in 5.13.0. (CVE-2025-21613)

    go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS)     vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to     perform denial of service attacks by providing specially crafted responses from a Git server which     triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are     recommended to upgrade to v5.13 in order to mitigate this vulnerability. (CVE-2025-21614)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.1611.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2739 advisory.

    go-git is a highly extensible git implementation library written in pure Go. An argument injection     vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this     vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens     when the file transport protocol is being used, as that is the only protocol that shells out to git     binaries. This vulnerability is fixed in 5.13.0. (CVE-2025-21613)

    go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS)     vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to     perform denial of service attacks by providing specially crafted responses from a Git server which     triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are     recommended to upgrade to v5.13 in order to mitigate this vulnerability. (CVE-2025-21614)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:0662 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * go-git: argument injection via the URL field (CVE-2025-21613)

    * go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (CVE-2025-21614)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:0401 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * go-git: argument injection via the URL field (CVE-2025-21613)

    * go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (CVE-2025-21614)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:0401 advisory.

    * go-git: argument injection via the URL field (CVE-2025-21613)
      * go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (CVE-2025-21614)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-0401 advisory.

    - Resolves RHEL-72881: CVE-2025-21614

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of packer installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-21614 advisory.

  - go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS)     vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to     perform denial of service attacks by providing specially crafted responses from a Git server which     triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are     recommended to upgrade to v5.13 in order to mitigate this vulnerability. (CVE-2025-21614)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0060-1 advisory.

    - Update to version 0.0.20250108T191942 2025-01-08T19:19:42Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3371 GHSA-2r2v-9pf8-6342
      * GO-2025-3374 CVE-2025-22130 GHSA-j4jw-m6xr-fv6c

    - Update to version 0.0.20250107T160406 2025-01-07T16:04:06Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2025-3363 GO-2025-3364 GO-2025-3367 GO-2025-3368
      * GO-2024-3355 CVE-2024-54148 GHSA-r7j8-5h9c-f6fx
      * GO-2024-3356 CVE-2024-55947 GHSA-qf5v-rp47-55gg
      * GO-2024-3357 CVE-2024-56362 GHSA-xwx7-p63r-2rj8
      * GO-2024-3358 CVE-2024-45387 GHSA-vq94-9pfv-ccqr
      * GO-2024-3359 CVE-2024-28892 GHSA-5qww-56gc-f66c
      * GO-2024-3360 CVE-2024-25133 GHSA-wgqq-9qh8-wvqv
      * GO-2025-3361 CVE-2024-55196 GHSA-rv83-h68q-c4wq
      * GO-2025-3362 CVE-2025-21609 GHSA-8fx8-pffw-w498
      * GO-2025-3363 CVE-2024-56514 GHSA-cwrh-575j-8vr3
      * GO-2025-3364 CVE-2024-56513 GHSA-mg7w-c9x2-xh7r
      * GO-2025-3367 CVE-2025-21614 GHSA-r9px-m959-cxf4
      * GO-2025-3368 CVE-2025-21613 GHSA-v725-9546-7q7m

    - Update to version 0.0.20241220T214820 2024-12-20T21:48:20Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2024-3101 GHSA-75qh-gg76-p2w4
      * GO-2024-3339 GHSA-8wcc-m6j2-qxvm

    - Update to version 0.0.20241220T203729 2024-12-20T20:37:29Z.
      Refs jsc#PED-11136       Go CVE Numbering Authority IDs added or updated with aliases:
      * GO-2024-3101 GHSA-75qh-gg76-p2w4
      * GO-2024-3109 CVE-2024-43803 GHSA-pqfh-xh7w-7h3p
      * GO-2024-3333 CVE-2024-45338 GHSA-w32m-9786-jp63
      * GO-2024-3342 GHSA-hxr6-2p24-hf98
      * GO-2024-3343 CVE-2024-9779 GHSA-jhh6-6fhp-q2xp
      * GO-2024-3344 GHSA-32gq-x56h-299c
      * GO-2024-3349 CVE-2024-25131 GHSA-77c2-c35q-254w
      * GO-2024-3350 GHSA-5pf6-cq2v-23ww
      * GO-2024-3354 CVE-2024-12678 GHSA-hr68-hvgv-xxqf

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
231639	Linux Distros Unpatched Vulnerability : CVE-2025-21614	Nessus	Misc.	high
216303	RockyLinux 8 : grafana (RLSA-2025:0401)	Nessus	Rocky Linux Local Security Checks	critical
215531	Azure Linux 3.0 Security Update: packer (CVE-2025-21614)	Nessus	Azure Linux Local Security Checks	high
215185	openSUSE 15 Security Update : trivy (openSUSE-SU-2025:0056-1)	Nessus	SuSE Local Security Checks	critical
215023	Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2025-824)	Nessus	Amazon Linux Local Security Checks	critical
214978	Amazon Linux 2 : amazon-ssm-agent (ALAS-2025-2739)	Nessus	Amazon Linux Local Security Checks	critical
214526	RHEL 9 : grafana (RHSA-2025:0662)	Nessus	Red Hat Local Security Checks	critical
214434	RHEL 8 : grafana (RHSA-2025:0401)	Nessus	Red Hat Local Security Checks	critical
214396	AlmaLinux 8 : grafana (ALSA-2025:0401)	Nessus	Alma Linux Local Security Checks	critical
214392	Oracle Linux 8 : grafana (ELSA-2025-0401)	Nessus	Oracle Linux Local Security Checks	critical
214246	CBL Mariner 2.0 Security Update: packer (CVE-2025-21614)	Nessus	MarinerOS Local Security Checks	high
213966	SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2025:0060-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2025-21614

high

Tenable Plugins

high

critical

high

critical

critical

critical

critical

critical

critical

critical

high

critical