Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:3799-1 Final 1 1 2025-10-27T07:58:29Z current 2025-10-27T07:58:29Z 2025-10-27T07:58:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: - Update to version 0.0.20251023T162509 2025-10-23T16:25:09Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-3979 CVE-2025-59824 GHSA-hqrf-67pm-wgfq * GO-2025-3981 CVE-2025-59823 GHSA-227x-7mh8-3cf6 * GO-2025-3982 CVE-2025-54468 GHSA-mjcp-rj3c-36fr * GO-2025-3983 CVE-2024-58260 GHSA-q82v-h4rq-5c86 * GO-2025-3984 CVE-2024-58267 GHSA-v3vj-5868-2ch2 * GO-2025-3985 GHSA-q6hv-wcjr-wp8h * GO-2025-3986 CVE-2025-59163 GHSA-6q9c-m9fr-865m * GO-2025-3989 CVE-2025-59941 GHSA-7pq9-rf9p-wcrf * GO-2025-3990 CVE-2025-59942 GHSA-g99p-47x7-mq88 * GO-2025-3991 CVE-2025-59956 GHSA-w64r-2g3w-w8w4 * GO-2025-3992 CVE-2025-23266 GHSA-vmg3-7v43-9g23 * GO-2025-3993 CVE-2025-59531 GHSA-f9gq-prrc-hrhc * GO-2025-3994 CVE-2025-55191 GHSA-g88p-r42r-ppp9 * GO-2025-3995 CVE-2025-59538 GHSA-gpx4-37g2-c8pv * GO-2025-3996 CVE-2025-59537 GHSA-wp4p-9pxh-cgx2 * GO-2025-3997 CVE-2025-61595 GHSA-qwvm-wqq8-8j69 * GO-2025-3998 CVE-2025-23267 GHSA-67jc-hmvg-q4c7 * GO-2025-4018 CVE-2025-61926 GHSA-33f4-mjch-7fpr * GO-2025-4019 GHSA-xc79-566c-j4qx - Update to version 0.0.20250924T192141 2025-09-24T19:21:41Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-3962 CVE-2025-59341 GHSA-49pv-gwxp-532r * GO-2025-3963 CVE-2025-59348 GHSA-2qgr-gfvj-qpcr * GO-2025-3964 CVE-2025-59349 GHSA-8425-8r2f-mrv6 * GO-2025-3965 CVE-2025-59345 GHSA-89vc-vf32-ch59 * GO-2025-3966 CVE-2025-59347 GHSA-98x5-jw98-6c97 * GO-2025-3967 CVE-2025-59342 GHSA-g2h5-cvvr-7gmw * GO-2025-3968 CVE-2025-59346 GHSA-g2rq-jv54-wcpr * GO-2025-3969 CVE-2025-59353 GHSA-255v-qv84-29p5 * GO-2025-3970 CVE-2025-59351 GHSA-4mhv-8rh3-4ghw * GO-2025-3971 CVE-2025-59352 GHSA-79hx-3fp8-hj66 * GO-2025-3972 CVE-2025-59350 GHSA-c2fc-9q9c-5486 * GO-2025-3973 CVE-2025-59354 GHSA-hx2h-vjw2-8r54 * GO-2025-3974 CVE-2025-59410 GHSA-mcvp-rpgg-9273 * GO-2025-3976 CVE-2025-10630 GHSA-g4rr-88fc-26fj * GO-2025-3977 CVE-2025-9079 GHSA-qx3f-6vq3-8j8m * GO-2025-3978 CVE-2025-9081 GHSA-f72g-52v7-mg3p - Update to version 0.0.20250922T204835 2025-09-22T20:48:35Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-3955 CVE-2025-47910 CVE-2025-47910 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3799,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-3799,openSUSE-SLE-15.6-2025-3799 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ Link for SUSE-SU-2025:3799-1 https://lists.suse.com/pipermail/sle-security-updates/2025-October/023030.html E-Mail link for SUSE-SU-2025:3799-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-58260/ SUSE CVE CVE-2024-58260 page https://www.suse.com/security/cve/CVE-2024-58267/ SUSE CVE CVE-2024-58267 page https://www.suse.com/security/cve/CVE-2025-10630/ SUSE CVE CVE-2025-10630 page https://www.suse.com/security/cve/CVE-2025-23266/ SUSE CVE CVE-2025-23266 page https://www.suse.com/security/cve/CVE-2025-23267/ SUSE CVE CVE-2025-23267 page https://www.suse.com/security/cve/CVE-2025-47910/ SUSE CVE CVE-2025-47910 page https://www.suse.com/security/cve/CVE-2025-54468/ SUSE CVE CVE-2025-54468 page https://www.suse.com/security/cve/CVE-2025-55191/ SUSE CVE CVE-2025-55191 page https://www.suse.com/security/cve/CVE-2025-59163/ SUSE CVE CVE-2025-59163 page https://www.suse.com/security/cve/CVE-2025-59341/ SUSE CVE CVE-2025-59341 page https://www.suse.com/security/cve/CVE-2025-59342/ SUSE CVE CVE-2025-59342 page https://www.suse.com/security/cve/CVE-2025-59345/ SUSE CVE CVE-2025-59345 page https://www.suse.com/security/cve/CVE-2025-59346/ SUSE CVE CVE-2025-59346 page https://www.suse.com/security/cve/CVE-2025-59347/ SUSE CVE CVE-2025-59347 page https://www.suse.com/security/cve/CVE-2025-59348/ SUSE CVE CVE-2025-59348 page https://www.suse.com/security/cve/CVE-2025-59349/ SUSE CVE CVE-2025-59349 page https://www.suse.com/security/cve/CVE-2025-59350/ SUSE CVE CVE-2025-59350 page https://www.suse.com/security/cve/CVE-2025-59351/ SUSE CVE CVE-2025-59351 page https://www.suse.com/security/cve/CVE-2025-59352/ SUSE CVE CVE-2025-59352 page https://www.suse.com/security/cve/CVE-2025-59353/ SUSE CVE CVE-2025-59353 page https://www.suse.com/security/cve/CVE-2025-59354/ SUSE CVE CVE-2025-59354 page https://www.suse.com/security/cve/CVE-2025-59410/ SUSE CVE CVE-2025-59410 page https://www.suse.com/security/cve/CVE-2025-59531/ SUSE CVE CVE-2025-59531 page https://www.suse.com/security/cve/CVE-2025-59537/ SUSE CVE CVE-2025-59537 page https://www.suse.com/security/cve/CVE-2025-59538/ SUSE CVE CVE-2025-59538 page https://www.suse.com/security/cve/CVE-2025-59823/ SUSE CVE CVE-2025-59823 page https://www.suse.com/security/cve/CVE-2025-59824/ SUSE CVE CVE-2025-59824 page https://www.suse.com/security/cve/CVE-2025-59941/ SUSE CVE CVE-2025-59941 page https://www.suse.com/security/cve/CVE-2025-59942/ SUSE CVE CVE-2025-59942 page https://www.suse.com/security/cve/CVE-2025-59956/ SUSE CVE CVE-2025-59956 page https://www.suse.com/security/cve/CVE-2025-61595/ SUSE CVE CVE-2025-61595 page https://www.suse.com/security/cve/CVE-2025-61926/ SUSE CVE CVE-2025-61926 page https://www.suse.com/security/cve/CVE-2025-9079/ SUSE CVE CVE-2025-9079 page https://www.suse.com/security/cve/CVE-2025-9081/ SUSE CVE CVE-2025-9081 page SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.6 A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. CVE-2024-58260 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2024-58260.html CVE-2024-58260 https://bugzilla.suse.com/1246840 SUSE Bug 1246840 A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher's authentication tokens. CVE-2024-58267 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2024-58267.html CVE-2024-58267 https://bugzilla.suse.com/1249100 SUSE Bug 1249100 Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulnerability via user-supplied regex query which could causes CPU usage to max out. This vulnerability is fixed in version 6.0.0. CVE-2025-10630 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-10630.html CVE-2025-10630 NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service. CVE-2025-23266 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-23266.html CVE-2025-23266 https://bugzilla.suse.com/1246860 SUSE Bug 1246860 NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of service. CVE-2025-23267 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-23267.html CVE-2025-23267 https://bugzilla.suse.com/1246614 SUSE Bug 1246614 When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. CVE-2025-47910 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-47910.html CVE-2025-47910 https://bugzilla.suse.com/1249141 SUSE Bug 1249141 A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses. CVE-2025-54468 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-54468.html CVE-2025-54468 https://bugzilla.suse.com/1249103 SUSE Bug 1249103 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19. CVE-2025-55191 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-55191.html CVE-2025-55191 https://bugzilla.suse.com/1250695 SUSE Bug 1250695 vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool. This issue is fixed in version 1.12.5. CVE-2025-59163 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59163.html CVE-2025-59163 esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources). CVE-2025-59341 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59341.html CVE-2025-59341 esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application's storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. CVE-2025-59342 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59342.html CVE-2025-59342 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0. CVE-2025-59345 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59345.html CVE-2025-59345 Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2's components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSource, and internal HTTP clients follow redirects, allowing a request to a malicious server to be redirected to internal services. This can be used to probe or access internal HTTP endpoints. The vulnerability is fixed in version 2.1.0. CVE-2025-59346 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59346.html CVE-2025-59346 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0. CVE-2025-59347 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59347.html CVE-2025-59347 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure's usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. This vulnerability is fixed in 2.1.0. CVE-2025-59348 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59348.html CVE-2025-59348 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0. CVE-2025-59349 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59349.html CVE-2025-59349 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction's execution times. This vulnerability is fixed in 2.1.0. CVE-2025-59350 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59350.html CVE-2025-59350 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0. CVE-2025-59351 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59351.html CVE-2025-59351 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers' secret data and to gain remote code execution (RCE) capabilities on the peer's machine.This vulnerability is fixed in 2.1.0. CVE-2025-59352 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59352.html CVE-2025-59352 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager's Certificate gRPC service does not validate if the requested IP addresses "belong to" the peer requesting the certificate-that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0. CVE-2025-59353 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59353.html CVE-2025-59353 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding hash. This vulnerability is fixed in 2.1.0. CVE-2025-59354 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59354.html CVE-2025-59354 Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0. CVE-2025-59410 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59410.html CVE-2025-59410 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19. CVE-2025-59531 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59531.html CVE-2025-59531 https://bugzilla.suse.com/1250899 SUSE Bug 1250899 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD's /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19. CVE-2025-59537 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59537.html CVE-2025-59537 https://bugzilla.suse.com/1250909 SUSE Bug 1250909 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19. CVE-2025-59538 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59538.html CVE-2025-59538 https://bugzilla.suse.com/1250914 SUSE Bug 1250914 Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0. CVE-2025-59823 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59823.html CVE-2025-59823 Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. The WireGuard interface on Omni is configured to ensure that the source IP address of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it performs no validation on the packet's destination address. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface. This issue has been patched in version 0.48.0. CVE-2025-59824 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59824.html CVE-2025-59824 go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by submitting a valid message with a correct justification and then reusing the same cached justification in contexts where it would normally be invalid. This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it's being used with. This issue is fixed in version 0.8.9. CVE-2025-59941 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59941.html CVE-2025-59941 go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7. CVE-2025-59942 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59942.html CVE-2025-59942 AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. This allows for the unauthorized exfiltration of sensitive user data, specifically local message history, which can include secret keys, file system contents, and intellectual property the user was working on locally. This issue is fixed in version 0.4.0. CVE-2025-59956 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-59956.html CVE-2025-59956 MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wasm contract, potentially amplifying the gas consumption exponentially. This is fixed in version 4.0.2. CVE-2025-61595 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-61595.html CVE-2025-61595 Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar's Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue. CVE-2025-61926 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-61926.html CVE-2025-61926 Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory CVE-2025-9079 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-9079.html CVE-2025-9079 Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration CVE-2025-9081 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253799-1/ https://www.suse.com/security/cve/CVE-2025-9081.html CVE-2025-9081