govulncheck-vulndb-0.0.20250523T151856-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15159-1 Final 1 1 2025-05-26T00:00:00Z current 2025-05-26T00:00:00Z 2025-05-26T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250523T151856-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15159 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ E-Mail link for openSUSE-SU-2025:15159-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-40120/ SUSE CVE CVE-2024-40120 page https://www.suse.com/security/cve/CVE-2025-1975/ SUSE CVE CVE-2025-1975 page https://www.suse.com/security/cve/CVE-2025-2527/ SUSE CVE CVE-2025-2527 page https://www.suse.com/security/cve/CVE-2025-2570/ SUSE CVE CVE-2025-2570 page https://www.suse.com/security/cve/CVE-2025-31947/ SUSE CVE CVE-2025-31947 page https://www.suse.com/security/cve/CVE-2025-3446/ SUSE CVE CVE-2025-3446 page https://www.suse.com/security/cve/CVE-2025-47282/ SUSE CVE CVE-2025-47282 page https://www.suse.com/security/cve/CVE-2025-47283/ SUSE CVE CVE-2025-47283 page https://www.suse.com/security/cve/CVE-2025-47284/ SUSE CVE CVE-2025-47284 page https://www.suse.com/security/cve/CVE-2025-47290/ SUSE CVE CVE-2025-47290 page https://www.suse.com/security/cve/CVE-2025-47291/ SUSE CVE CVE-2025-47291 page https://www.suse.com/security/cve/CVE-2025-48056/ SUSE CVE CVE-2025-48056 page https://www.suse.com/security/cve/CVE-2025-48069/ SUSE CVE CVE-2025-48069 page https://www.suse.com/security/cve/CVE-2025-5031/ SUSE CVE CVE-2025-5031 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250523T151856-1.1 govulncheck-vulndb-0.0.20250523T151856-1.1 as a component of openSUSE Tumbleweed seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go. CVE-2024-40120 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2024-40120.html CVE-2024-40120 A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull endpoint, which can lead to a server crash. CVE-2025-1975 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-1975.html CVE-2025-1975 https://bugzilla.suse.com/1243287 SUSE Bug 1243287 Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. CVE-2025-2527 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-2527.html CVE-2025-2527 Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. CVE-2025-2570 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-2570.html CVE-2025-2570 Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost. CVE-2025-31947 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-31947.html CVE-2025-31947 Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team. CVE-2025-3446 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-3446.html CVE-2025-3446 Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. A security vulnerability was discovered in Gardener's External DNS Management prior to version 0.23.6 that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. The affected component is `gardener/external-dns-management`. The `external-dns-management` component may also be deployed on the seeds by the `gardener/gardener-extension-shoot-dns-service` extension when the extension is enabled. In this case, all versions of the `shoot-dns-service` extension `<= v1.60.0` are affected by this vulnerability. Version 0.23.6 of Gardener External DNS Management fixes the issue. CVE-2025-47282 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-47282.html CVE-2025-47282 Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue. CVE-2025-47283 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-47283.html CVE-2025-47283 Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations where gardener/gardener-extension-provider-gcp is in use. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue. CVE-2025-47284 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-47284.html CVE-2025-47284 containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2025-47290 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-47290.html CVE-2025-47290 https://bugzilla.suse.com/1243392 SUSE Bug 1243392 containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily. CVE-2025-47291 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-47291.html CVE-2025-47291 https://bugzilla.suse.com/1243632 SUSE Bug 1243632 Hubble is a fully distributed networking and security observability platform for cloud native workloads. Prior to version 1.17.2, a network attacker could inject malicious control characters into Hubble CLI terminal output, potentially leading to loss of integrity and manipulation of the output. This could be leveraged to conceal log entries, rewrite output, or even make the terminal temporarily unusable. Exploitation of this attack would require the victim to be monitoring Kafka traffic using Layer 7 Protocol Visibility at the time of the attack. The issue is patched in Hubble CLI v1.17.2. Hubble CLI users who are unable to upgrade can direct their Hubble flows to a log file and inspect the output within a text editor. CVE-2025-48056 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-48056.html CVE-2025-48056 ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. Version 2.0.8 sanitizes output during decryption. Other mitigations involve avoiding use of `ejson2env` to decrypt untrusted user secrets and/or avoiding evaluating or executing the direct output from `ejson2env` without removing nonprintable characters. CVE-2025-48069 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-48069.html CVE-2025-48069 A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been rated as problematic. This issue affects some unknown processing of the component wxapkg File Decompression Handler. The manipulation leads to resource consumption. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. CVE-2025-5031 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250523T151856-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBVOKYMJCE2HZLSF5W3H3Q7KEHMMOQR3/ https://www.suse.com/security/cve/CVE-2025-5031.html CVE-2025-5031