Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
EUVDB-ID: #VU36806
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8614
CWE-ID:
CWE-320 - Key Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU36808
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8628
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU7411
Risk: Low
CVSSv3.1: 2 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8647
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to bypass security restrictions on the target system.
The weakness exists due to input validation error in Ansible's mysql_user module that may lead to incorrect password changing. An adjacent attacker can use the previous password and bypass security restrictions.
Successful exploitation of the vulnerability may result in access to the system.
Update the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU6639
Risk: Medium
CVSSv3.1: 8.1 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-9587,CVE-2017-7466
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing responses, send by clients to Ansible server. A remote client can send a specially crafted response and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU12555
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7550
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper passing of certain parameters to the jenkins_plugin module. A remote attacker can gain access to potentially sensitive sensitive information from a remote host's logs.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU14157
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10874
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to the system reads the 'ansible.cfg' file from the current working directory when running an ad-hoc command. A local attacker can modify the file to reference arbitrary plugin or module paths and execute arbitrary code from those paths with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU29567
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-10744
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incomplete fix for race condition for SB2020032420 #8 (CVE-2020-1733) on systems using ACLs and FUSE filesystems. A local user can exploit the race and escalate privileges on the system.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU47114
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14330
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU47115
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14332
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU47274
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14365
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to #BASIC_IMPACT#.
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU29029
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-1753
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files when managing Kubernetes using the k8s connection plugin. A local user can read the log files and gain access to sensitive data.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU84381
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-5764
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when handling templates. A remote user can remove the unsafe designation from template data and execute arbitrary code on the system.
Update the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU89210
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6152
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass email verification.
The vulnerability exists due to email addresses are verified only during sign up, if "verify_email_enabled" option is set. A remote attacker can register an account and then set an arbitrary email address without verification.
Update the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85621
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0690
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due memory leak caused by a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. A local user can gain access to potentially sensitive information.
Update the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU87845
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1313
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization.
The vulnerability exists due to improper authorization checks. A remote user outside an organization can send a DELETE request to /api/snapshots/ using its view key to bypass authorization and delete a snapshot.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Real Time 15: SP1 - SP6
openSUSE Leap: 15.3 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP6
SUSE Linux Enterprise Server 15: SP1 - SP6
SUSE Linux Enterprise Desktop 15: SP1 - SP6
SUSE Linux Enterprise Micro: 5.0 - 5.5
SUSE Package Hub 15: 15-SP5
SUSE Manager Proxy Module: 4.3
SUSE Manager Client Tools for SLE Micro: 5
SUSE Manager Client Tools for SLE: 15
SUSE Linux Enterprise High Performance Computing 15: SP1 - SP5
SUSE Linux Enterprise Desktop: 15-SP1
SUSE Linux Enterprise Server: 15-SP3-LTSS
SUSE Linux Enterprise High Performance Computing: 15-SP3-LTSS
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Proxy: 4.3
SUSE Linux Enterprise Server for SAP Applications: 15
grafana: before 9.5.18-150000.1.63.2
python3-uyuni-common-libs: before 4.3.10-150000.1.39.2
grafana-debuginfo: before 9.5.18-150000.1.63.2
spacewalk-check: before 4.3.19-150000.3.89.2
python3-spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-check: before 4.3.19-150000.3.89.2
spacewalk-client-setup: before 4.3.19-150000.3.89.2
spacewalk-koan: before 4.3.6-150000.3.33.2
mgr-daemon: before 4.3.9-150000.1.47.2
uyuni-proxy-systemd-services: before 4.3.12-150000.1.21.2
spacewalk-client-tools: before 4.3.19-150000.3.89.2
python3-spacewalk-client-setup: before 4.3.19-150000.3.89.2
python3-spacewalk-koan: before 4.3.6-150000.3.33.2
golang-github-prometheus-promu: before 0.14.0-150000.3.18.2
dracut-saltboot: before 0.1.1710765237.46af599-150000.1.53.2
POS_Image-Graphical7: before 0.1.1710765237.46af599-150000.1.21.2
spacecmd: before 4.3.27-150000.3.116.2
ansible-doc: before 2.9.27-150000.1.17.2
ansible-test: before 2.9.27-150000.1.17.2
ansible: before 2.9.27-150000.1.17.2
POS_Image-JeOS7: before 0.1.1710765237.46af599-150000.1.21.2
External linkshttp://www.suse.com/support/update/announcement/2024/suse-su-20241509-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.