{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-68131","title":"Title"},{"category":"description","text":"cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-68131","url":"https://www.suse.com/security/cve/CVE-2025-68131"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1255783 for CVE-2025-68131","url":"https://bugzilla.suse.com/1255783"}],"title":"SUSE CVE CVE-2025-68131","tracking":{"current_release_date":"2026-03-13T14:05:21Z","generator":{"date":"2026-01-01T00:24:18Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-68131","initial_release_date":"2026-01-01T00:24:18Z","revision_history":[{"date":"2026-01-01T00:24:18Z","number":"2","summary":"references added,severity changed from  to moderate"},{"date":"2026-01-04T00:22:40Z","number":"3","summary":"vulnerabilities added"},{"date":"2026-01-09T00:24:20Z","number":"4","summary":"scores added,updates released"},{"date":"2026-01-13T00:29:09Z","number":"5","summary":"more updates marked as affected"},{"date":"2026-03-11T16:52:10Z","number":"6","summary":"unknown changes"},{"date":"2026-03-13T14:05:21Z","number":"7","summary":"more updates marked as affected"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP applications 16.0","product":{"name":"SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server-sap"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"python-cbor2","product":{"name":"python-cbor2","product_id":"python-cbor2","product_identification_helper":{"purl":"pkg:rpm/suse/python-cbor2@"}}},{"category":"product_version","name":"python311-cbor2-5.8.0-2.1","product":{"name":"python311-cbor2-5.8.0-2.1","product_id":"python311-cbor2-5.8.0-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python311-cbor2@5.8.0-2.1"}}},{"category":"product_version","name":"python312-cbor2-5.8.0-2.1","product":{"name":"python312-cbor2-5.8.0-2.1","product_id":"python312-cbor2-5.8.0-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python312-cbor2@5.8.0-2.1"}}},{"category":"product_version","name":"python313-cbor2","product":{"name":"python313-cbor2","product_id":"python313-cbor2","product_identification_helper":{"purl":"pkg:rpm/suse/python313-cbor2@?upstream=python-cbor2.src.rpm"}}},{"category":"product_version","name":"python313-cbor2-5.8.0-2.1","product":{"name":"python313-cbor2-5.8.0-2.1","product_id":"python313-cbor2-5.8.0-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-cbor2@5.8.0-2.1?upstream=python-cbor2-5.8.0-2.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python311-cbor2-5.8.0-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python311-cbor2-5.8.0-2.1"},"product_reference":"python311-cbor2-5.8.0-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-cbor2-5.8.0-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-cbor2-5.8.0-2.1"},"product_reference":"python312-cbor2-5.8.0-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-cbor2-5.8.0-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python313-cbor2-5.8.0-2.1"},"product_reference":"python313-cbor2-5.8.0-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-cbor2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:python313-cbor2"},"product_reference":"python313-cbor2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"python-cbor2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:python-cbor2"},"product_reference":"python-cbor2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"python313-cbor2 as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cbor2"},"product_reference":"python313-cbor2","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"},{"category":"default_component_of","full_product_name":{"name":"python-cbor2 as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:python-cbor2"},"product_reference":"python-cbor2","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"}]},"vulnerabilities":[{"cve":"CVE-2025-68131","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-68131"}],"notes":[{"category":"general","text":"cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.","title":"CVE description"}],"product_status":{"known_affected":["SUSE Linux Enterprise Server 16.0:python-cbor2","SUSE Linux Enterprise Server 16.0:python313-cbor2","SUSE Linux Enterprise Server for SAP applications 16.0:python-cbor2","SUSE Linux Enterprise Server for SAP applications 16.0:python313-cbor2"],"recommended":["openSUSE Tumbleweed:python311-cbor2-5.8.0-2.1","openSUSE Tumbleweed:python312-cbor2-5.8.0-2.1","openSUSE Tumbleweed:python313-cbor2-5.8.0-2.1"]},"references":[{"category":"external","summary":"CVE-2025-68131","url":"https://www.suse.com/security/cve/CVE-2025-68131"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1255783 for CVE-2025-68131","url":"https://bugzilla.suse.com/1255783"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:python311-cbor2-5.8.0-2.1","openSUSE Tumbleweed:python312-cbor2-5.8.0-2.1","openSUSE Tumbleweed:python313-cbor2-5.8.0-2.1"]}],"scores":[{"cvss_v3":{"baseScore":5.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["openSUSE Tumbleweed:python311-cbor2-5.8.0-2.1","openSUSE Tumbleweed:python312-cbor2-5.8.0-2.1","openSUSE Tumbleweed:python313-cbor2-5.8.0-2.1"]}],"threats":[{"category":"impact","date":"2025-12-31T03:03:11Z","details":"moderate"}],"title":"CVE-2025-68131"}]}