govulncheck-vulndb-0.0.20250818T190335-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16531 Final 1 1 2025-08-20T00:00:00Z current 2025-08-20T00:00:00Z 2025-08-20T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250818T190335-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250818T190335-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16531 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-26154/ SUSE CVE CVE-2023-26154 page https://www.suse.com/security/cve/CVE-2025-44001/ SUSE CVE CVE-2025-44001 page https://www.suse.com/security/cve/CVE-2025-44004/ SUSE CVE CVE-2025-44004 page https://www.suse.com/security/cve/CVE-2025-48731/ SUSE CVE CVE-2025-48731 page https://www.suse.com/security/cve/CVE-2025-49221/ SUSE CVE CVE-2025-49221 page https://www.suse.com/security/cve/CVE-2025-50946/ SUSE CVE CVE-2025-50946 page https://www.suse.com/security/cve/CVE-2025-52931/ SUSE CVE CVE-2025-52931 page https://www.suse.com/security/cve/CVE-2025-53514/ SUSE CVE CVE-2025-53514 page https://www.suse.com/security/cve/CVE-2025-53857/ SUSE CVE CVE-2025-53857 page https://www.suse.com/security/cve/CVE-2025-53910/ SUSE CVE CVE-2025-53910 page https://www.suse.com/security/cve/CVE-2025-54458/ SUSE CVE CVE-2025-54458 page https://www.suse.com/security/cve/CVE-2025-54463/ SUSE CVE CVE-2025-54463 page https://www.suse.com/security/cve/CVE-2025-54478/ SUSE CVE CVE-2025-54478 page https://www.suse.com/security/cve/CVE-2025-54525/ SUSE CVE CVE-2025-54525 page https://www.suse.com/security/cve/CVE-2025-55196/ SUSE CVE CVE-2025-55196 page https://www.suse.com/security/cve/CVE-2025-55198/ SUSE CVE CVE-2025-55198 page https://www.suse.com/security/cve/CVE-2025-55199/ SUSE CVE CVE-2025-55199 page https://www.suse.com/security/cve/CVE-2025-8285/ SUSE CVE CVE-2025-8285 page https://www.suse.com/security/cve/CVE-2025-9039/ SUSE CVE CVE-2025-9039 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250818T190335-1.1 govulncheck-vulndb-0.0.20250818T190335-1.1 as a component of openSUSE Tumbleweed Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. CVE-2023-26154 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-26154.html CVE-2023-26154 Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint. CVE-2025-44001 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-44001.html CVE-2025-44001 Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint. CVE-2025-44004 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-44004.html CVE-2025-44004 Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint. CVE-2025-48731 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48731.html CVE-2025-48731 Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint. CVE-2025-49221 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-49221.html CVE-2025-49221 OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go. CVE-2025-50946 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-50946.html CVE-2025-50946 Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body. CVE-2025-52931 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52931.html CVE-2025-52931 Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. CVE-2025-53514 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-53514.html CVE-2025-53514 Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint. CVE-2025-53857 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-53857.html CVE-2025-53857 Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API call to the edit channel subscription endpoint. CVE-2025-53910 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-53910.html CVE-2025-53910 Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint. CVE-2025-54458 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54458.html CVE-2025-54458 Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. CVE-2025-54463 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54463.html CVE-2025-54463 Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint. CVE-2025-54478 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54478.html CVE-2025-54478 Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body. CVE-2025-54525 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54525.html CVE-2025-54525 External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions. An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces. This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster. This vulnerability has been patched in version 0.19.2. A workaround for this issue includes auditing and restricting RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources. CVE-2025-55196 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-55196.html CVE-2025-55196 Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatted as Helm expects prior to processing them with Helm. CVE-2025-55198 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-55198.html CVE-2025-55198 https://bugzilla.suse.com/1248092 SUSE Bug 1248092 Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero. CVE-2025-55199 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-55199.html CVE-2025-55199 https://bugzilla.suse.com/1248093 SUSE Bug 1248093 Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint. CVE-2025-8285 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-8285.html CVE-2025-8285 We identified an issue in the Amazon ECS agent where, under certain conditions, an introspection server could be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to 'false'. This issue has been addressed in ECS agent version 1.97.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. If customers cannot update to the latest AMI, they can modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678). CVE-2025-9039 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-9039.html CVE-2025-9039