{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-27403","title":"Title"},{"category":"description","text":"Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure authentication providers may be impacted by a vulnerability that exists in versions prior to 1.2.3 and 1.3.2. Both Azure authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However, Ratify's Azure authentication providers did not verify that the target registry is an ACR. This could have led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR access can potentially be extracted and abused if a user workload contains an image reference to a malicious registry. As of versions 1.2.3 and 1.3.2, the Azure workload identity and Azure managed identity authentication providers are updated to add new validation prior to EID token exchange. Validation relies upon registry domain validation against a pre-configured list of well-known ACR endpoints. EID token exchange will be executed only if at least one of the configured well-known domain suffixes (wildcard support included) matches the registry domain of the image reference.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-27403","url":"https://www.suse.com/security/cve/CVE-2025-27403"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14893-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IISU33DXNWHOYGRCT77IPABZTMARV5T6/"}],"title":"SUSE CVE CVE-2025-27403","tracking":{"current_release_date":"2026-01-16T00:37:10Z","generator":{"date":"2025-03-16T02:48:45Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-27403","initial_release_date":"2025-03-16T02:48:45Z","revision_history":[{"date":"2025-03-16T02:48:45Z","number":"2","summary":"Current version"},{"date":"2025-03-17T02:57:47Z","number":"3","summary":"Current version"},{"date":"2025-03-27T00:14:13Z","number":"4","summary":"Current version"},{"date":"2025-11-03T00:33:12Z","number":"5","summary":"Current version"},{"date":"2025-12-17T00:44:18Z","number":"6","summary":"description changed"},{"date":"2025-12-19T00:42:06Z","number":"7","summary":"description changed"},{"date":"2026-01-16T00:37:10Z","number":"8","summary":"unknown changes"}],"status":"interim","version":"8"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250313T170021-1.1","product":{"name":"govulncheck-vulndb-0.0.20250313T170021-1.1","product_id":"govulncheck-vulndb-0.0.20250313T170021-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250313T170021-1.1?upstream=govulncheck-vulndb-0.0.20250313T170021-1.1.src.rpm"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_id":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250814T182633-160000.1.2?upstream=govulncheck-vulndb-0.0.20250814T182633-160000.1.2.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2"},"product_reference":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250313T170021-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1"},"product_reference":"govulncheck-vulndb-0.0.20250313T170021-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2025-27403","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-27403"}],"notes":[{"category":"general","text":"Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure authentication providers may be impacted by a vulnerability that exists in versions prior to 1.2.3 and 1.3.2. Both Azure authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However, Ratify's Azure authentication providers did not verify that the target registry is an ACR. This could have led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR access can potentially be extracted and abused if a user workload contains an image reference to a malicious registry. As of versions 1.2.3 and 1.3.2, the Azure workload identity and Azure managed identity authentication providers are updated to add new validation prior to EID token exchange. Validation relies upon registry domain validation against a pre-configured list of well-known ACR endpoints. EID token exchange will be executed only if at least one of the configured well-known domain suffixes (wildcard support included) matches the registry domain of the image reference.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1"]},"references":[{"category":"external","summary":"CVE-2025-27403","url":"https://www.suse.com/security/cve/CVE-2025-27403"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14893-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IISU33DXNWHOYGRCT77IPABZTMARV5T6/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1"]}],"threats":[{"category":"impact","date":"2025-03-11T15:00:52Z","details":"important"}],"title":"CVE-2025-27403"}]}