govulncheck-vulndb-0.0.20250327T184518-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:14937-1 Final 1 1 2025-03-28T00:00:00Z current 2025-03-28T00:00:00Z 2025-03-28T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250327T184518-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250327T184518-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-14937 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ E-Mail link for openSUSE-SU-2025:14937-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-25132/ SUSE CVE CVE-2024-25132 page https://www.suse.com/security/cve/CVE-2024-53348/ SUSE CVE CVE-2024-53348 page https://www.suse.com/security/cve/CVE-2024-53351/ SUSE CVE CVE-2024-53351 page https://www.suse.com/security/cve/CVE-2024-7598/ SUSE CVE CVE-2024-7598 page https://www.suse.com/security/cve/CVE-2024-7631/ SUSE CVE CVE-2024-7631 page https://www.suse.com/security/cve/CVE-2024-9042/ SUSE CVE CVE-2024-9042 page https://www.suse.com/security/cve/CVE-2024-9900/ SUSE CVE CVE-2024-9900 page https://www.suse.com/security/cve/CVE-2025-1097/ SUSE CVE CVE-2025-1097 page https://www.suse.com/security/cve/CVE-2025-1098/ SUSE CVE CVE-2025-1098 page https://www.suse.com/security/cve/CVE-2025-1472/ SUSE CVE CVE-2025-1472 page https://www.suse.com/security/cve/CVE-2025-1767/ SUSE CVE CVE-2025-1767 page https://www.suse.com/security/cve/CVE-2025-1974/ SUSE CVE CVE-2025-1974 page https://www.suse.com/security/cve/CVE-2025-24513/ SUSE CVE CVE-2025-24513 page https://www.suse.com/security/cve/CVE-2025-24514/ SUSE CVE CVE-2025-24514 page https://www.suse.com/security/cve/CVE-2025-24920/ SUSE CVE CVE-2025-24920 page https://www.suse.com/security/cve/CVE-2025-25068/ SUSE CVE CVE-2025-25068 page https://www.suse.com/security/cve/CVE-2025-25274/ SUSE CVE CVE-2025-25274 page https://www.suse.com/security/cve/CVE-2025-27612/ SUSE CVE CVE-2025-27612 page https://www.suse.com/security/cve/CVE-2025-27715/ SUSE CVE CVE-2025-27715 page https://www.suse.com/security/cve/CVE-2025-27933/ SUSE CVE CVE-2025-27933 page https://www.suse.com/security/cve/CVE-2025-29778/ SUSE CVE CVE-2025-29778 page https://www.suse.com/security/cve/CVE-2025-29914/ SUSE CVE CVE-2025-29914 page https://www.suse.com/security/cve/CVE-2025-29922/ SUSE CVE CVE-2025-29922 page https://www.suse.com/security/cve/CVE-2025-29923/ SUSE CVE CVE-2025-29923 page https://www.suse.com/security/cve/CVE-2025-30077/ SUSE CVE CVE-2025-30077 page https://www.suse.com/security/cve/CVE-2025-30153/ SUSE CVE CVE-2025-30153 page https://www.suse.com/security/cve/CVE-2025-30162/ SUSE CVE CVE-2025-30162 page https://www.suse.com/security/cve/CVE-2025-30163/ SUSE CVE CVE-2025-30163 page https://www.suse.com/security/cve/CVE-2025-30179/ SUSE CVE CVE-2025-30179 page https://www.suse.com/security/cve/CVE-2025-30204/ SUSE CVE CVE-2025-30204 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250327T184518-1.1 govulncheck-vulndb-0.0.20250327T184518-1.1 as a component of openSUSE Tumbleweed A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernateAfter value. If a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created, the hive hibernation controller will enter the reconciliation loop leading to a panic when accessing a non-existing field in the ClusterDeployment's status section, resulting in a denial of service. CVE-2024-25132 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-25132.html CVE-2024-25132 LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges. CVE-2024-53348 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-53348.html CVE-2024-53348 Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges. CVE-2024-53351 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-53351.html CVE-2024-53351 A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced. CVE-2024-7598 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-7598.html CVE-2024-7598 https://bugzilla.suse.com/1240110 SUSE Bug 1240110 A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console's pod by using sequences of ../ and valid directory paths. CVE-2024-7631 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-7631.html CVE-2024-7631 This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below. CVE-2024-9042 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-9042.html CVE-2024-9042 https://bugzilla.suse.com/1235978 SUSE Bug 1235978 mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM. CVE-2024-9900 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2024-9900.html CVE-2024-9900 A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVE-2025-1097 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-1097.html CVE-2025-1097 A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVE-2025-1098 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-1098.html CVE-2025-1098 Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. CVE-2025-1472 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-1472.html CVE-2025-1472 This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable. CVE-2025-1767 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-1767.html CVE-2025-1767 https://bugzilla.suse.com/1239643 SUSE Bug 1239643 A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVE-2025-1974 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-1974.html CVE-2025-1974 A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster. CVE-2025-24513 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-24513.html CVE-2025-24513 A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVE-2025-24514 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-24514.html CVE-2025-24514 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels CVE-2025-24920 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-24920.html CVE-2025-24920 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. CVE-2025-25068 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-25068.html CVE-2025-25068 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. CVE-2025-25274 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-25274.html CVE-2025-25274 libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder. CVE-2025-27612 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-27612.html CVE-2025-27612 Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them. CVE-2025-27715 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-27715.html CVE-2025-27715 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public CVE-2025-27933 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-27933.html CVE-2025-27933 Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue. CVE-2025-29778 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-29778.html CVE-2025-29778 https://bugzilla.suse.com/1240021 SUSE Bug 1240021 OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3. CVE-2025-29914 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-29914.html CVE-2025-29914 kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. A fix for this issue has been identified and has been published with kcp 0.26.3 and 0.27.0. CVE-2025-29922 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-29922.html CVE-2025-29922 go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance. CVE-2025-29923 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-29923.html CVE-2025-29923 https://bugzilla.suse.com/1241152 SUSE Bug 1241152 Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits. CVE-2025-30077 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-30077.html CVE-2025-30077 kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0. CVE-2025-30153 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-30153.html CVE-2025-30153 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. CVE-2025-30162 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-30162.html CVE-2025-30162 https://bugzilla.suse.com/1240019 SUSE Bug 1240019 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints. CVE-2025-30163 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-30163.html CVE-2025-30163 https://bugzilla.suse.com/1240020 SUSE Bug 1240020 Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries. CVE-2025-30179 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-30179.html CVE-2025-30179 golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. CVE-2025-30204 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250327T184518-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NEVFAGUWHTVZSJTUAIU6C4S26DP2KIGB/ https://www.suse.com/security/cve/CVE-2025-30204.html CVE-2025-30204 https://bugzilla.suse.com/1240441 SUSE Bug 1240441 https://bugzilla.suse.com/1240442 SUSE Bug 1240442