SUSE update for SUSE Manager Client Tools
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-22037 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
SUSE Manager Client Tools for Ubuntu 20.04 Operating systems & Components / Operating system mgrctl Operating systems & Components / Operating system package or component mgrctl-zsh-completion Operating systems & Components / Operating system package or component salt-minion Operating systems & Components / Operating system package or component spacecmd Operating systems & Components / Operating system package or component mgrctl-fish-completion Operating systems & Components / Operating system package or component mgrctl-bash-completion Operating systems & Components / Operating system package or component salt-common Operating systems & Components / Operating system package or component scap-security-guide-ubuntu Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU104016
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-22037
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the uyuni-server-attestation systemd service uses the database_password environment variable to store password. A local user can obtain the password via systemd.
MitigationUpdate the affected package SUSE Manager Client Tools to the latest version.
Vulnerable software versionsSUSE Manager Client Tools for Ubuntu 20.04: 2004
mgrctl: before 0.1.28-2.16.2
mgrctl-zsh-completion: before 0.1.28-2.16.2
salt-minion: before 3006.0+ds-1+2.134.2
spacecmd: before 5.0.11-2.95.2
mgrctl-fish-completion: before 0.1.28-2.16.2
mgrctl-bash-completion: before 0.1.28-2.16.2
salt-common: before 3006.0+ds-1+2.134.2
scap-security-guide-ubuntu: before 0.1.75-2.55.2
CPE2.3- cpe:2.3:o:suse:suse_manager_client_tools_for_ubuntu_20.04:2004:*:*:*:*:*:*:*
- cpe:2.3:o:suse:mgrctl:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:mgrctl-zsh-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:salt-minion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:spacecmd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:mgrctl-fish-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:mgrctl-bash-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:salt-common:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:scap-security-guide-ubuntu:*:*:*:*:*:suse_linux:*:*
http://www.suse.com/support/update/announcement/202501/suse-su-20250115286-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
