govulncheck-vulndb-0.0.20250313T170021-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15955 Final 1 1 2025-03-15T00:00:00Z current 2025-03-15T00:00:00Z 2025-03-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250313T170021-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250313T170021-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15955 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-1725/ SUSE CVE CVE-2024-1725 page https://www.suse.com/security/cve/CVE-2024-52812/ SUSE CVE CVE-2024-52812 page https://www.suse.com/security/cve/CVE-2025-1296/ SUSE CVE CVE-2025-1296 page https://www.suse.com/security/cve/CVE-2025-26260/ SUSE CVE CVE-2025-26260 page https://www.suse.com/security/cve/CVE-2025-27403/ SUSE CVE CVE-2025-27403 page https://www.suse.com/security/cve/CVE-2025-27616/ SUSE CVE CVE-2025-27616 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250313T170021-1.1 govulncheck-vulndb-0.0.20250313T170021-1.1 as a component of openSUSE Tumbleweed A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node. CVE-2024-1725 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-1725.html CVE-2024-1725 LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to this service (e.g. admin) tries make any modifications with the rule (update, run, stop, delete), a payload acts in the victim's browser. Version 2.0.8 fixes the issue. CVE-2024-52812 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-52812.html CVE-2024-52812 Nomad Community and Nomad Enterprise ("Nomad") are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19. CVE-2025-1296 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-1296.html CVE-2025-1296 Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution. CVE-2025-26260 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-26260.html CVE-2025-26260 Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure authentication providers may be impacted by a vulnerability that exists in versions prior to 1.2.3 and 1.3.2. Both Azure authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However, Ratify's Azure authentication providers did not verify that the target registry is an ACR. This could have led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR access can potentially be extracted and abused if a user workload contains an image reference to a malicious registry. As of versions 1.2.3 and 1.3.2, the Azure workload identity and Azure managed identity authentication providers are updated to add new validation prior to EID token exchange. Validation relies upon registry domain validation against a pre-configured list of well-known ACR endpoints. EID token exchange will be executed only if at least one of the configured well-known domain suffixes (wildcard support included) matches the registry domain of the image reference. CVE-2025-27403 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-27403.html CVE-2025-27403 Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available. CVE-2025-27616 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250313T170021-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-27616.html CVE-2025-27616