Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-29923 (GCVE-0-2025-29923)
Vulnerability from cvelistv5
Published
2025-03-20 18:03
Modified
2025-03-20 19:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T19:43:05.478582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T19:43:13.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-redis",
"vendor": "redis",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.7.0-beta.1, \u003c 9.7.3"
},
{
"status": "affected",
"version": "\u003e= 9.6.0b1, \u003c 9.6.3"
},
{
"status": "affected",
"version": "\u003e= 9.5.1, \u003c 9.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:03:14.933Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7"
},
{
"name": "https://github.com/redis/go-redis/pull/3295",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/redis/go-redis/pull/3295"
},
{
"name": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6"
}
],
"source": {
"advisory": "GHSA-92cp-5422-2mw7",
"discovery": "UNKNOWN"
},
"title": "go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29923",
"datePublished": "2025-03-20T18:03:14.933Z",
"dateReserved": "2025-03-12T13:42:22.136Z",
"dateUpdated": "2025-03-20T19:43:13.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-29923\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-20T18:15:19.230\",\"lastModified\":\"2025-03-20T18:15:19.230\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/redis/go-redis/pull/3295\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-20\", \"lang\": \"en\", \"description\": \"CWE-20: Improper Input Validation\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7\"}, {\"name\": \"https://github.com/redis/go-redis/pull/3295\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/redis/go-redis/pull/3295\"}, {\"name\": \"https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6\"}], \"affected\": [{\"vendor\": \"redis\", \"product\": \"go-redis\", \"versions\": [{\"version\": \"\u003e= 9.7.0-beta.1, \u003c 9.7.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 9.6.0b1, \u003c 9.6.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 9.5.1, \u003c 9.5.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-20T18:03:14.933Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.\"}], \"source\": {\"advisory\": \"GHSA-92cp-5422-2mw7\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-29923\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-20T19:43:05.478582Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-20T19:43:09.152Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-29923\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-03-12T13:42:22.136Z\", \"datePublished\": \"2025-03-20T18:03:14.933Z\", \"dateUpdated\": \"2025-03-20T19:43:13.663Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2025-29923
Vulnerability from fkie_nvd
Published
2025-03-20 18:15
Modified
2025-03-20 18:15
Severity ?
Summary
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance."
},
{
"lang": "es",
"value": "go-redis es la librer\u00eda cliente oficial de Redis para el lenguaje de programaci\u00f3n Go. En versiones anteriores a las 9.5.5, 9.6.3 y 9.7.3, go-redis pod\u00eda responder de forma incorrecta cuando se agotaba el tiempo de espera de `CLIENT SETINFO` durante el establecimiento de la conexi\u00f3n. Esto puede ocurrir cuando el cliente est\u00e1 configurado para transmitir su identidad, existen problemas de conectividad de red o se configur\u00f3 con tiempos de espera agresivos. El problema se presenta en varios casos de uso. En conexiones persistentes, se reciben respuestas incorrectas persistentes durante la vida \u00fatil de la conexi\u00f3n. Todos los comandos en la canalizaci\u00f3n reciben respuestas incorrectas. Al usar el ConnPool predeterminado, una vez que se devuelve una conexi\u00f3n despu\u00e9s de usar ConnPool#Put, se revisa el b\u00fafer de lectura y la conexi\u00f3n se marca como incorrecta debido a los datos no le\u00eddos. Esto significa que se recibe como m\u00e1ximo una respuesta incorrecta antes de que se descarte la conexi\u00f3n. Este problema se solucion\u00f3 en las versiones 9.5.5, 9.6.3 y 9.7.3. Puede evitar la vulnerabilidad estableciendo el indicador DisableIndentity en verdadero al construir la instancia del cliente."
}
],
"id": "CVE-2025-29923",
"lastModified": "2025-03-20T18:15:19.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-20T18:15:19.230",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/redis/go-redis/pull/3295"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
ghsa-92cp-5422-2mw7
Vulnerability from github
Published
2025-03-20 18:49
Modified
2025-03-20 18:49
Severity ?
VLAI Severity ?
Summary
go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment
Details
Impact
The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout:
- The client is configured to transmit its identity. This can be disabled via the
DisableIndentityflag. - There are network connectivity issues
- The client was configured with aggressive timeouts
The impact differs by use case:
- Sticky connections: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection.
- Pipelines: All commands in the pipeline receive incorrect responses.
- Default connection pool usage without pipelining: When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded.
Patches
We prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon.
Workarounds
You can prevent the vulnerability by setting the flag DisableIndentity (BTW: We also need to fix the spelling.) to true when constructing the client instance.
Credit
Akhass Wasti Ramin Ghorashi Anton Amlinger Syed Rahman Mahesh Venkateswaran Sergey Zavoloka Aditya Adarwal Abdulla Anam Abd-Alhameed Alex Vanlint Gaurav Choudhary Vedanta Jha Yll Kelani Ryan Picard
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/redis/go-redis/v9"
},
"ranges": [
{
"events": [
{
"introduced": "9.7.0-beta.1"
},
{
"fixed": "9.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/redis/go-redis/v9"
},
"ranges": [
{
"events": [
{
"introduced": "9.6.0b1"
},
{
"fixed": "9.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/redis/go-redis/v9"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.1"
},
{
"fixed": "9.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29923"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-20T18:49:59Z",
"nvd_published_at": "2025-03-20T18:15:19Z",
"severity": "LOW"
},
"details": "### Impact\n\nThe issue only occurs when the `CLIENT SETINFO` command times out during connection establishment. The following circumstances can cause such a timeout:\n\n1. The client is configured to transmit its identity. This can be disabled via the `DisableIndentity` flag.\n2. There are network connectivity issues\n3. The client was configured with aggressive timeouts\n\nThe impact differs by use case:\n\n* **Sticky connections**: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection.\n* **Pipelines**: All commands in the pipeline receive incorrect responses.\n* **Default connection pool usage without pipelining**: When used with the default [ConnPool](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L77) once a connection is returned after use with [ConnPool#Put](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L366) the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded.\n\n### Patches\nWe prepared a fix in https://github.com/redis/go-redis/pull/3295 and plan to release patch versions soon.\n\n### Workarounds\nYou can prevent the vulnerability by setting the flag `DisableIndentity` (BTW: We also need to fix the spelling.) to `true` when constructing the client instance.\n\n### Credit\n\nAkhass Wasti\nRamin Ghorashi\nAnton Amlinger\nSyed Rahman\nMahesh Venkateswaran\nSergey Zavoloka\nAditya Adarwal\nAbdulla Anam\nAbd-Alhameed\nAlex Vanlint\nGaurav Choudhary\nVedanta Jha\nYll Kelani\nRyan Picard",
"id": "GHSA-92cp-5422-2mw7",
"modified": "2025-03-20T18:49:59Z",
"published": "2025-03-20T18:49:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/redis/go-redis/security/advisories/GHSA-92cp-5422-2mw7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29923"
},
{
"type": "WEB",
"url": "https://github.com/redis/go-redis/pull/3295"
},
{
"type": "WEB",
"url": "https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6"
},
{
"type": "PACKAGE",
"url": "https://github.com/redis/go-redis"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment"
}
opensuse-su-2025:14937-1
Vulnerability from csaf_opensuse
Published
2025-03-28 00:00
Modified
2025-03-28 00:00
Summary
govulncheck-vulndb-0.0.20250327T184518-1.1 on GA media
Notes
Title of the patch
govulncheck-vulndb-0.0.20250327T184518-1.1 on GA media
Description of the patch
These are all security issues fixed in the govulncheck-vulndb-0.0.20250327T184518-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-14937
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20250327T184518-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250327T184518-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14937",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14937-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:14937-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:14937-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-25132 page",
"url": "https://www.suse.com/security/cve/CVE-2024-25132/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53348 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53348/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53351 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53351/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-7598 page",
"url": "https://www.suse.com/security/cve/CVE-2024-7598/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-7631 page",
"url": "https://www.suse.com/security/cve/CVE-2024-7631/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-9042 page",
"url": "https://www.suse.com/security/cve/CVE-2024-9042/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-9900 page",
"url": "https://www.suse.com/security/cve/CVE-2024-9900/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1097 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1097/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1098 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1098/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1472 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1472/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1767 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1767/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1974 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24513 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24514 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24514/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24920 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24920/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25068 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25068/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25274 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25274/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27612 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27612/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27715 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27715/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27933 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27933/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29778 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29778/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29922 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29922/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29923 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29923/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30077 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30077/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30153 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30153/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30162 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30162/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30163 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30163/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30179 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30179/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30204 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30204/"
}
],
"title": "govulncheck-vulndb-0.0.20250327T184518-1.1 on GA media",
"tracking": {
"current_release_date": "2025-03-28T00:00:00Z",
"generator": {
"date": "2025-03-28T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14937-1",
"initial_release_date": "2025-03-28T00:00:00Z",
"revision_history": [
{
"date": "2025-03-28T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20250327T184518-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-25132",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-25132"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernateAfter value. If a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created, the hive hibernation controller will enter the reconciliation loop leading to a panic when accessing a non-existing field in the ClusterDeployment\u0027s status section, resulting in a denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-25132",
"url": "https://www.suse.com/security/cve/CVE-2024-25132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-25132"
},
{
"cve": "CVE-2024-53348",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53348"
}
],
"notes": [
{
"category": "general",
"text": "LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53348",
"url": "https://www.suse.com/security/cve/CVE-2024-53348"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-53348"
},
{
"cve": "CVE-2024-53351",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53351"
}
],
"notes": [
{
"category": "general",
"text": "Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account\u0027s token, leading to escalation of privileges.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53351",
"url": "https://www.suse.com/security/cve/CVE-2024-53351"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-53351"
},
{
"cve": "CVE-2024-7598",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-7598"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-7598",
"url": "https://www.suse.com/security/cve/CVE-2024-7598"
},
{
"category": "external",
"summary": "SUSE Bug 1240110 for CVE-2024-7598",
"url": "https://bugzilla.suse.com/1240110"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2024-7598"
},
{
"cve": "CVE-2024-7631",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-7631"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint\u0027s lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console\u0027s pod by using sequences of ../ and valid directory paths.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-7631",
"url": "https://www.suse.com/security/cve/CVE-2024-7631"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-7631"
},
{
"cve": "CVE-2024-9042",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-9042"
}
],
"notes": [
{
"category": "general",
"text": "This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-9042",
"url": "https://www.suse.com/security/cve/CVE-2024-9042"
},
{
"category": "external",
"summary": "SUSE Bug 1235978 for CVE-2024-9042",
"url": "https://bugzilla.suse.com/1235978"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-9042"
},
{
"cve": "CVE-2024-9900",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-9900"
}
],
"notes": [
{
"category": "general",
"text": "mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim\u0027s browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-9900",
"url": "https://www.suse.com/security/cve/CVE-2024-9900"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-9900"
},
{
"cve": "CVE-2025-1097",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1097"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1097",
"url": "https://www.suse.com/security/cve/CVE-2025-1097"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-1097"
},
{
"cve": "CVE-2025-1098",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1098"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1098",
"url": "https://www.suse.com/security/cve/CVE-2025-1098"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-1098"
},
{
"cve": "CVE-2025-1472",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1472"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 9.11.x \u003c= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1472",
"url": "https://www.suse.com/security/cve/CVE-2025-1472"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-1472"
},
{
"cve": "CVE-2025-1767",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1767"
}
],
"notes": [
{
"category": "general",
"text": "This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1767",
"url": "https://www.suse.com/security/cve/CVE-2025-1767"
},
{
"category": "external",
"summary": "SUSE Bug 1239643 for CVE-2025-1767",
"url": "https://bugzilla.suse.com/1239643"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-1767"
},
{
"cve": "CVE-2025-1974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1974"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1974",
"url": "https://www.suse.com/security/cve/CVE-2025-1974"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-1974"
},
{
"cve": "CVE-2025-24513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24513"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24513",
"url": "https://www.suse.com/security/cve/CVE-2025-24513"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-24513"
},
{
"cve": "CVE-2025-24514",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24514"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24514",
"url": "https://www.suse.com/security/cve/CVE-2025-24514"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-24514"
},
{
"cve": "CVE-2025-24920",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24920"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8, 10.5.x \u003c= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24920",
"url": "https://www.suse.com/security/cve/CVE-2025-24920"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-24920"
},
{
"cve": "CVE-2025-25068",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25068"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8, 10.5.x \u003c= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25068",
"url": "https://www.suse.com/security/cve/CVE-2025-25068"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-25068"
},
{
"cve": "CVE-2025-25274",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25274"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25274",
"url": "https://www.suse.com/security/cve/CVE-2025-25274"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-25274"
},
{
"cve": "CVE-2025-27612",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27612"
}
],
"notes": [
{
"category": "general",
"text": "libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27612",
"url": "https://www.suse.com/security/cve/CVE-2025-27612"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27612"
},
{
"cve": "CVE-2025-27715",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27715"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 9.11.x \u003c= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27715",
"url": "https://www.suse.com/security/cve/CVE-2025-27715"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-27715"
},
{
"cve": "CVE-2025-27933",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27933"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27933",
"url": "https://www.suse.com/security/cve/CVE-2025-27933"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27933"
},
{
"cve": "CVE-2025-29778",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29778"
}
],
"notes": [
{
"category": "general",
"text": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact\u0027s sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29778",
"url": "https://www.suse.com/security/cve/CVE-2025-29778"
},
{
"category": "external",
"summary": "SUSE Bug 1240021 for CVE-2025-29778",
"url": "https://bugzilla.suse.com/1240021"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-29778"
},
{
"cve": "CVE-2025-29914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29914"
}
],
"notes": [
{
"category": "general",
"text": "OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29914",
"url": "https://www.suse.com/security/cve/CVE-2025-29914"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-29914"
},
{
"cve": "CVE-2025-29922",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29922"
}
],
"notes": [
{
"category": "general",
"text": "kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29922",
"url": "https://www.suse.com/security/cve/CVE-2025-29922"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-29922"
},
{
"cve": "CVE-2025-29923",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29923"
}
],
"notes": [
{
"category": "general",
"text": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29923",
"url": "https://www.suse.com/security/cve/CVE-2025-29923"
},
{
"category": "external",
"summary": "SUSE Bug 1241152 for CVE-2025-29923",
"url": "https://bugzilla.suse.com/1241152"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-29923"
},
{
"cve": "CVE-2025-30077",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30077"
}
],
"notes": [
{
"category": "general",
"text": "Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30077",
"url": "https://www.suse.com/security/cve/CVE-2025-30077"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-30077"
},
{
"cve": "CVE-2025-30153",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30153"
}
],
"notes": [
{
"category": "general",
"text": "kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30153",
"url": "https://www.suse.com/security/cve/CVE-2025-30153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-30153"
},
{
"cve": "CVE-2025-30162",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30162"
}
],
"notes": [
{
"category": "general",
"text": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30162",
"url": "https://www.suse.com/security/cve/CVE-2025-30162"
},
{
"category": "external",
"summary": "SUSE Bug 1240019 for CVE-2025-30162",
"url": "https://bugzilla.suse.com/1240019"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-30162"
},
{
"cve": "CVE-2025-30163",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30163"
}
],
"notes": [
{
"category": "general",
"text": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30163",
"url": "https://www.suse.com/security/cve/CVE-2025-30163"
},
{
"category": "external",
"summary": "SUSE Bug 1240020 for CVE-2025-30163",
"url": "https://bugzilla.suse.com/1240020"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-30163"
},
{
"cve": "CVE-2025-30179",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30179"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30179",
"url": "https://www.suse.com/security/cve/CVE-2025-30179"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-30179"
},
{
"cve": "CVE-2025-30204",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30204"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30204",
"url": "https://www.suse.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "SUSE Bug 1240441 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240441"
},
{
"category": "external",
"summary": "SUSE Bug 1240442 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240442"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-30204"
}
]
}
opensuse-su-2025:15052-1
Vulnerability from csaf_opensuse
Published
2025-05-05 00:00
Modified
2025-05-05 00:00
Summary
grafana-11.5.4-1.1 on GA media
Notes
Title of the patch
grafana-11.5.4-1.1 on GA media
Description of the patch
These are all security issues fixed in the grafana-11.5.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15052
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-11.5.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-11.5.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15052",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15052-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:15052-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PKSIUOW7HIED3L6UVUD2KMZSPDHNUTO/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:15052-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PKSIUOW7HIED3L6UVUD2KMZSPDHNUTO/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6104 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6104/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-2703 page",
"url": "https://www.suse.com/security/cve/CVE-2025-2703/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29923 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29923/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30204 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30204/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-3454 page",
"url": "https://www.suse.com/security/cve/CVE-2025-3454/"
}
],
"title": "grafana-11.5.4-1.1 on GA media",
"tracking": {
"current_release_date": "2025-05-05T00:00:00Z",
"generator": {
"date": "2025-05-05T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15052-1",
"initial_release_date": "2025-05-05T00:00:00Z",
"revision_history": [
{
"date": "2025-05-05T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.5.4-1.1.aarch64",
"product": {
"name": "grafana-11.5.4-1.1.aarch64",
"product_id": "grafana-11.5.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.5.4-1.1.ppc64le",
"product": {
"name": "grafana-11.5.4-1.1.ppc64le",
"product_id": "grafana-11.5.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.5.4-1.1.s390x",
"product": {
"name": "grafana-11.5.4-1.1.s390x",
"product_id": "grafana-11.5.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-11.5.4-1.1.x86_64",
"product": {
"name": "grafana-11.5.4-1.1.x86_64",
"product_id": "grafana-11.5.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.5.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64"
},
"product_reference": "grafana-11.5.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.5.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le"
},
"product_reference": "grafana-11.5.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.5.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x"
},
"product_reference": "grafana-11.5.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-11.5.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
},
"product_reference": "grafana-11.5.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-6104",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6104"
}
],
"notes": [
{
"category": "general",
"text": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6104",
"url": "https://www.suse.com/security/cve/CVE-2024-6104"
},
{
"category": "external",
"summary": "SUSE Bug 1227024 for CVE-2024-6104",
"url": "https://bugzilla.suse.com/1227024"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-05T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-6104"
},
{
"cve": "CVE-2025-2703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-2703"
}
],
"notes": [
{
"category": "general",
"text": "The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. \n\nA user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-2703",
"url": "https://www.suse.com/security/cve/CVE-2025-2703"
},
{
"category": "external",
"summary": "SUSE Bug 1241687 for CVE-2025-2703",
"url": "https://bugzilla.suse.com/1241687"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-05T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-2703"
},
{
"cve": "CVE-2025-29923",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29923"
}
],
"notes": [
{
"category": "general",
"text": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29923",
"url": "https://www.suse.com/security/cve/CVE-2025-29923"
},
{
"category": "external",
"summary": "SUSE Bug 1241152 for CVE-2025-29923",
"url": "https://bugzilla.suse.com/1241152"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-05T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-29923"
},
{
"cve": "CVE-2025-30204",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30204"
}
],
"notes": [
{
"category": "general",
"text": "golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30204",
"url": "https://www.suse.com/security/cve/CVE-2025-30204"
},
{
"category": "external",
"summary": "SUSE Bug 1240441 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240441"
},
{
"category": "external",
"summary": "SUSE Bug 1240442 for CVE-2025-30204",
"url": "https://bugzilla.suse.com/1240442"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-05T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-30204"
},
{
"cve": "CVE-2025-3454",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-3454"
}
],
"notes": [
{
"category": "general",
"text": "This vulnerability in Grafana\u0027s datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path.\n\nUsers with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources.\n\nThe issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-3454",
"url": "https://www.suse.com/security/cve/CVE-2025-3454"
},
{
"category": "external",
"summary": "SUSE Bug 1241683 for CVE-2025-3454",
"url": "https://bugzilla.suse.com/1241683"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-11.5.4-1.1.aarch64",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.s390x",
"openSUSE Tumbleweed:grafana-11.5.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-05T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-3454"
}
]
}
opensuse-su-2025:15508-1
Vulnerability from csaf_opensuse
Published
2025-09-01 00:00
Modified
2025-09-01 00:00
Summary
rekor-1.4.1-1.1 on GA media
Notes
Title of the patch
rekor-1.4.1-1.1 on GA media
Description of the patch
These are all security issues fixed in the rekor-1.4.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15508
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "rekor-1.4.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the rekor-1.4.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15508",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15508-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-29923 page",
"url": "https://www.suse.com/security/cve/CVE-2025-29923/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58058 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58058/"
}
],
"title": "rekor-1.4.1-1.1 on GA media",
"tracking": {
"current_release_date": "2025-09-01T00:00:00Z",
"generator": {
"date": "2025-09-01T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15508-1",
"initial_release_date": "2025-09-01T00:00:00Z",
"revision_history": [
{
"date": "2025-09-01T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.1-1.1.aarch64",
"product": {
"name": "rekor-1.4.1-1.1.aarch64",
"product_id": "rekor-1.4.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.1-1.1.ppc64le",
"product": {
"name": "rekor-1.4.1-1.1.ppc64le",
"product_id": "rekor-1.4.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.1-1.1.s390x",
"product": {
"name": "rekor-1.4.1-1.1.s390x",
"product_id": "rekor-1.4.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rekor-1.4.1-1.1.x86_64",
"product": {
"name": "rekor-1.4.1-1.1.x86_64",
"product_id": "rekor-1.4.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64"
},
"product_reference": "rekor-1.4.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le"
},
"product_reference": "rekor-1.4.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x"
},
"product_reference": "rekor-1.4.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rekor-1.4.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
},
"product_reference": "rekor-1.4.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-29923",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-29923"
}
],
"notes": [
{
"category": "general",
"text": "go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-29923",
"url": "https://www.suse.com/security/cve/CVE-2025-29923"
},
{
"category": "external",
"summary": "SUSE Bug 1241152 for CVE-2025-29923",
"url": "https://bugzilla.suse.com/1241152"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-01T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-29923"
},
{
"cve": "CVE-2025-58058",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58058"
}
],
"notes": [
{
"category": "general",
"text": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn\u0027t include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58058",
"url": "https://www.suse.com/security/cve/CVE-2025-58058"
},
{
"category": "external",
"summary": "SUSE Bug 1248889 for CVE-2025-58058",
"url": "https://bugzilla.suse.com/1248889"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:rekor-1.4.1-1.1.aarch64",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.s390x",
"openSUSE Tumbleweed:rekor-1.4.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-01T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-58058"
}
]
}
wid-sec-w-2025-0633
Vulnerability from csaf_certbund
Published
2025-03-25 23:00
Modified
2025-07-30 22:00
Summary
Gitea: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Gitea ist ein quelloffener Github-Klon.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Gitea ausnutzen, um Daten zu manipulieren, oder einen Denial of Service auszulösen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Gitea ist ein quelloffener Github-Klon.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Gitea ausnutzen, um Daten zu manipulieren, oder einen Denial of Service auszul\u00f6sen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0633 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0633.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0633 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0633"
},
{
"category": "external",
"summary": "Gitea Blog vom 2025-03-25",
"url": "https://blog.gitea.com/release-of-1.23.6"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-03-25",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29923"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-03-25",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3344 vom 2025-03-27",
"url": "https://access.redhat.com/errata/RHSA-2025:3344"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-3344 vom 2025-03-27",
"url": "https://linux.oracle.com/errata/ELSA-2025-3344.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3411 vom 2025-03-31",
"url": "https://access.redhat.com/errata/RHSA-2025:3411"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3503 vom 2025-04-02",
"url": "https://access.redhat.com/errata/RHSA-2025:3503"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:14956-1 vom 2025-04-03",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MGGR7W7ANU3YEPLMZP3LOTAKB42X53A7/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:14954-1 vom 2025-04-03",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RDRQUFBQNFRUIM2F2EPVEBMFI6LKYQ4J/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3618 vom 2025-04-07",
"url": "https://access.redhat.com/errata/RHSA-2025:3618"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3616 vom 2025-04-07",
"url": "https://access.redhat.com/errata/RHSA-2025:3616"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3743 vom 2025-04-09",
"url": "https://access.redhat.com/errata/RHSA-2025:3743"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3740 vom 2025-04-09",
"url": "https://access.redhat.com/errata/RHSA-2025:3740"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3569 vom 2025-04-09",
"url": "https://access.redhat.com/errata/RHSA-2025:3569"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:14989-1 vom 2025-04-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4WVLSK4BXQRTF3JIGHVYEEVTW7AMWO4M/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1285-1 vom 2025-04-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/Z3BVKM2LB4JO6BYLQOMHZ5VRPLLAUEU7/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3775 vom 2025-04-16",
"url": "https://access.redhat.com/errata/RHSA-2025:3775"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:14990-1 vom 2025-04-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/IC2EUYZRCX6GXM6Y26SHEX6QS2URIZ2I/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3930 vom 2025-04-15",
"url": "https://access.redhat.com/errata/RHSA-2025:3930"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3928 vom 2025-04-15",
"url": "https://access.redhat.com/errata/RHSA-2025:3928"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3929 vom 2025-04-15",
"url": "https://access.redhat.com/errata/RHSA-2025:3929"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3790 vom 2025-04-17",
"url": "https://access.redhat.com/errata/RHSA-2025:3790"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:4502 vom 2025-05-06",
"url": "https://access.redhat.com/errata/RHSA-2025:4502"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:4473 vom 2025-05-05",
"url": "https://access.redhat.com/errata/RHSA-2025:4473"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:4511 vom 2025-05-06",
"url": "https://access.redhat.com/errata/RHSA-2025:4511"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15052-1 vom 2025-05-06",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2PKSIUOW7HIED3L6UVUD2KMZSPDHNUTO/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:4422 vom 2025-05-08",
"url": "https://access.redhat.com/errata/RHSA-2025:4422"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:4409 vom 2025-05-08",
"url": "https://access.redhat.com/errata/RHSA-2025:4409"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-121049BBF7 vom 2025-05-15",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-121049bbf7"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-7967 vom 2025-05-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-7967.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:8274 vom 2025-05-29",
"url": "https://rhn.redhat.com/errata/RHSA-2025:8274.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:9541 vom 2025-06-24",
"url": "https://access.redhat.com/errata/RHSA-2025:9541"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11396 vom 2025-07-18",
"url": "https://access.redhat.com/errata/RHSA-2025:11396"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11749 vom 2025-07-24",
"url": "https://access.redhat.com/errata/RHSA-2025:11749"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-EPEL-2025-AB0FAE74F1 vom 2025-07-26",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-ab0fae74f1"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11669 vom 2025-07-31",
"url": "https://access.redhat.com/errata/RHSA-2025:11669"
}
],
"source_lang": "en-US",
"title": "Gitea: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-07-30T22:00:00.000+00:00",
"generator": {
"date": "2025-07-31T07:49:36.859+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-0633",
"initial_release_date": "2025-03-25T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-03-25T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-03-27T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2025-03-31T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-04-01T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-04-03T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-04-06T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-04-09T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-04-15T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von openSUSE, SUSE und Red Hat aufgenommen"
},
{
"date": "2025-04-16T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-05T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-06T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-05-07T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-14T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2025-05-20T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-05-29T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-06-24T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-20T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-24T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-27T22:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2025-07-30T22:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "20"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.23.6",
"product": {
"name": "Open Source Gitea \u003c1.23.6",
"product_id": "T042141"
}
},
{
"category": "product_version",
"name": "1.23.6",
"product": {
"name": "Open Source Gitea 1.23.6",
"product_id": "T042141-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:gitea:gitea:1.23.6"
}
}
}
],
"category": "product_name",
"name": "Gitea"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "Container Platform \u003c4.15.50",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.15.50",
"product_id": "T043405"
}
},
{
"category": "product_version",
"name": "Container Platform 4.15.50",
"product": {
"name": "Red Hat OpenShift Container Platform 4.15.50",
"product_id": "T043405-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.15.50"
}
}
},
{
"category": "product_version_range",
"name": "Container Platform \u003c4.12.76",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.12.76",
"product_id": "T043457"
}
},
{
"category": "product_version",
"name": "Container Platform 4.12.76",
"product": {
"name": "Red Hat OpenShift Container Platform 4.12.76",
"product_id": "T043457-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.12.76"
}
}
},
{
"category": "product_version_range",
"name": "Container Platform \u003c4.14.54",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.14.54",
"product_id": "T045757"
}
},
{
"category": "product_version",
"name": "Container Platform 4.14.54",
"product": {
"name": "Red Hat OpenShift Container Platform 4.14.54",
"product_id": "T045757-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.14.54"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-29923",
"product_status": {
"known_affected": [
"T043457",
"T002207",
"67646",
"T045757",
"T043405",
"T027843",
"T004914",
"T042141",
"74185"
]
},
"release_date": "2025-03-25T23:00:00.000+00:00",
"title": "CVE-2025-29923"
},
{
"cve": "CVE-2025-30204",
"product_status": {
"known_affected": [
"T043457",
"T002207",
"67646",
"T045757",
"T043405",
"T027843",
"T004914",
"T042141",
"74185"
]
},
"release_date": "2025-03-25T23:00:00.000+00:00",
"title": "CVE-2025-30204"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…