govulncheck-vulndb-0.0.20250527T204717-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16241 Final 1 1 2025-05-30T00:00:00Z current 2025-05-30T00:00:00Z 2025-05-30T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250527T204717-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250527T204717-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16241 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-4123/ SUSE CVE CVE-2025-4123 page https://www.suse.com/security/cve/CVE-2025-48075/ SUSE CVE CVE-2025-48075 page https://www.suse.com/security/cve/CVE-2025-48371/ SUSE CVE CVE-2025-48371 page https://www.suse.com/security/cve/CVE-2025-48374/ SUSE CVE CVE-2025-48374 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250527T204717-1.1 govulncheck-vulndb-0.0.20250527T204717-1.1 as a component of openSUSE Tumbleweed A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. CVE-2025-4123 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250527T204717-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-4123.html CVE-2025-4123 https://bugzilla.suse.com/1243714 SUSE Bug 1243714 Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue. CVE-2025-48075 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250527T204717-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48075.html CVE-2025-48075 OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples's user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible. CVE-2025-48371 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250527T204717-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48371.html CVE-2025-48371 zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue. CVE-2025-48374 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250527T204717-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48374.html CVE-2025-48374