Vulnerability from csaf_opensuse
Published
2024-12-22 00:00
Modified
2024-12-22 00:00
Summary
govulncheck-vulndb-0.0.20241220T214820-1.1 on GA media
Notes
Title of the patch
govulncheck-vulndb-0.0.20241220T214820-1.1 on GA media
Description of the patch
These are all security issues fixed in the govulncheck-vulndb-0.0.20241220T214820-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14608
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "govulncheck-vulndb-0.0.20241220T214820-1.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the govulncheck-vulndb-0.0.20241220T214820-1.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-14608", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14608-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2024:14608-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKGXQ5KH45FY7WLT7M5JFCJB2ZEAPTJA/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2024:14608-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKGXQ5KH45FY7WLT7M5JFCJB2ZEAPTJA/", }, { category: "self", summary: "SUSE CVE CVE-2024-12678 page", url: "https://www.suse.com/security/cve/CVE-2024-12678/", }, { category: "self", summary: "SUSE CVE CVE-2024-25131 page", url: "https://www.suse.com/security/cve/CVE-2024-25131/", }, { category: "self", summary: "SUSE CVE CVE-2024-43803 page", url: "https://www.suse.com/security/cve/CVE-2024-43803/", }, { category: "self", summary: "SUSE CVE CVE-2024-9779 page", url: "https://www.suse.com/security/cve/CVE-2024-9779/", }, ], title: "govulncheck-vulndb-0.0.20241220T214820-1.1 on GA media", tracking: { current_release_date: "2024-12-22T00:00:00Z", generator: { date: "2024-12-22T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:14608-1", initial_release_date: "2024-12-22T00:00:00Z", revision_history: [ { date: "2024-12-22T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", product: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", product_id: "govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", product: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", product_id: "govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", product: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", product_id: "govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", product: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", product_id: "govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", }, product_reference: "govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", }, product_reference: "govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", }, product_reference: "govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", }, product_reference: "govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2024-12678", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-12678", }, ], notes: [ { category: "general", text: "Nomad Community and Nomad Enterprise (\"Nomad\") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-12678", url: "https://www.suse.com/security/cve/CVE-2024-12678", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-12-22T00:00:00Z", details: "important", }, ], title: "CVE-2024-12678", }, { cve: "CVE-2024-25131", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-25131", }, ], notes: [ { category: "general", text: "A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can allow a standard developer user to escalate their privileges to a cluster administrator and pivot to the AWS environment.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-25131", url: "https://www.suse.com/security/cve/CVE-2024-25131", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-12-22T00:00:00Z", details: "important", }, ], title: "CVE-2024-25131", }, { cve: "CVE-2024-43803", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-43803", }, ], notes: [ { category: "general", text: "The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the `Name` and `Namespace` of the Secret, meaning that versions of the baremetal-operator prior to 0.8.0, 0.6.2, and 0.5.2 will read a `Secret` from any namespace. A user with access to create or edit a `BareMetalHost` can thus exfiltrate a `Secret` from another namespace by using it as e.g. the `userData` for provisioning some host (note that this need not be a real host, it could be a VM somewhere).\n\nBMO will only read a key with the name `value` (or `userData`, `metaData`, or `networkData`), so that limits the exposure somewhat. `value` is probably a pretty common key though. Secrets used by _other_ `BareMetalHost`s in different namespaces are always vulnerable. It is probably relatively unusual for anyone other than cluster administrators to have RBAC access to create/edit a `BareMetalHost`. This vulnerability is only meaningful, if the cluster has users other than administrators and users' privileges are limited to their respective namespaces.\n\nThe patch prevents BMO from accepting links to Secrets from other namespaces as BMH input. Any BMH configuration is only read from the same namespace only. The problem is patched in BMO releases v0.7.0, v0.6.2 and v0.5.2 and users should upgrade to those versions. Prior upgrading, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets. As a workaround, an operator can configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-43803", url: "https://www.suse.com/security/cve/CVE-2024-43803", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-12-22T00:00:00Z", details: "moderate", }, ], title: "CVE-2024-43803", }, { cve: "CVE-2024-9779", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-9779", }, ], notes: [ { category: "general", text: "A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name \"cluster-manager\" which is bound to a ClusterRole also named \"cluster-manager\", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-9779", url: "https://www.suse.com/security/cve/CVE-2024-9779", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.aarch64", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.ppc64le", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.s390x", "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241220T214820-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-12-22T00:00:00Z", details: "important", }, ], title: "CVE-2024-9779", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.