system-user-velociraptor-1.0.0-5.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13830-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z system-user-velociraptor-1.0.0-5.1 on GA media These are all security issues fixed in the system-user-velociraptor-1.0.0-5.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13830 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-5950/ SUSE CVE CVE-2023-5950 page https://www.suse.com/security/cve/CVE-2024-28849/ SUSE CVE CVE-2024-28849 page openSUSE Tumbleweed system-user-velociraptor-1.0.0-5.1 velociraptor-0.7.0.4.git74.3426c0a-5.1 system-user-velociraptor-1.0.0-5.1 as a component of openSUSE Tumbleweed velociraptor-0.7.0.4.git74.3426c0a-5.1 as a component of openSUSE Tumbleweed Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1). CVE-2023-5950 openSUSE Tumbleweed:system-user-velociraptor-1.0.0-5.1 openSUSE Tumbleweed:velociraptor-0.7.0.4.git74.3426c0a-5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5950.html CVE-2023-5950 https://bugzilla.suse.com/1216925 SUSE Bug 1216925 follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-28849 openSUSE Tumbleweed:system-user-velociraptor-1.0.0-5.1 openSUSE Tumbleweed:velociraptor-0.7.0.4.git74.3426c0a-5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-28849.html CVE-2024-28849 https://bugzilla.suse.com/1221450 SUSE Bug 1221450