govulncheck-vulndb-0.0.20250908T141310-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16600 Final 1 1 2025-09-10T00:00:00Z current 2025-09-10T00:00:00Z 2025-09-10T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20250908T141310-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20250908T141310-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16600 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-52284/ SUSE CVE CVE-2024-52284 page https://www.suse.com/security/cve/CVE-2024-58259/ SUSE CVE CVE-2024-58259 page https://www.suse.com/security/cve/CVE-2025-51667/ SUSE CVE CVE-2025-51667 page https://www.suse.com/security/cve/CVE-2025-53884/ SUSE CVE CVE-2025-53884 page https://www.suse.com/security/cve/CVE-2025-54467/ SUSE CVE CVE-2025-54467 page https://www.suse.com/security/cve/CVE-2025-55190/ SUSE CVE CVE-2025-55190 page https://www.suse.com/security/cve/CVE-2025-56760/ SUSE CVE CVE-2025-56760 page https://www.suse.com/security/cve/CVE-2025-56761/ SUSE CVE CVE-2025-56761 page https://www.suse.com/security/cve/CVE-2025-58355/ SUSE CVE CVE-2025-58355 page https://www.suse.com/security/cve/CVE-2025-6203/ SUSE CVE CVE-2025-6203 page https://www.suse.com/security/cve/CVE-2025-8077/ SUSE CVE CVE-2025-8077 page https://www.suse.com/security/cve/CVE-2025-9566/ SUSE CVE CVE-2025-9566 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20250908T141310-1.1 govulncheck-vulndb-0.0.20250908T141310-1.1 as a component of openSUSE Tumbleweed Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets. CVE-2024-52284 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-52284.html CVE-2024-52284 https://bugzilla.suse.com/1246842 SUSE Bug 1246842 A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing, leading to Denial of Service (DoS). CVE-2024-58259 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-58259.html CVE-2024-58259 https://bugzilla.suse.com/1246839 SUSE Bug 1246839 An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations. CVE-2025-51667 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-51667.html CVE-2025-51667 NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed). CVE-2025-53884 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-53884.html CVE-2025-53884 https://bugzilla.suse.com/1247841 SUSE Bug 1247841 When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. CVE-2025-54467 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54467.html CVE-2025-54467 https://bugzilla.suse.com/1247842 SUSE Bug 1247842 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2. CVE-2025-55190 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-55190.html CVE-2025-55190 When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server. CVE-2025-56760 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-56760.html CVE-2025-56760 Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin. CVE-2025-56761 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-56761.html CVE-2025-56761 Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0. CVE-2025-58355 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58355.html CVE-2025-58355 A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault's auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25. CVE-2025-6203 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6203.html CVE-2025-6203 A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs. CVE-2025-8077 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-8077.html CVE-2025-8077 https://bugzilla.suse.com/1247840 SUSE Bug 1247840 There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1 CVE-2025-9566 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250908T141310-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-9566.html CVE-2025-9566 https://bugzilla.suse.com/1249154 SUSE Bug 1249154