Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4395-1 Final 1 1 2025-12-15T11:15:27Z current 2025-12-15T11:15:27Z 2025-12-15T11:15:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: - Update to version 0.0.20251209T172047 2025-12-09T17:20:47Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4006 CVE-2025-61725 * GO-2025-4176 CVE-2025-65105 GHSA-j3rw-fx6g-q46j * GO-2025-4177 CVE-2025-64750 GHSA-wwrx-w7c9-rf87 * GO-2025-4178 CVE-2025-13870 GHSA-58w6-w55x-6wq8 * GO-2025-4179 CVE-2025-64443 GHSA-46gc-mwh4-cc5r * GO-2025-4180 CVE-2025-44005 GHSA-h8cp-697h-8c8p * GO-2025-4181 CVE-2025-66406 GHSA-j7c9-79x7-8hpr * GO-2025-4182 CVE-2025-66411 GHSA-jf75-p25m-pw74 * GO-2025-4183 CVE-2017-18870 GHSA-9j9j-mm2r-9rfm * GO-2025-4184 CVE-2017-18871 GHSA-jc6w-8r7f-vmp5 * GO-2025-4185 CVE-2017-18902 GHSA-jwfv-5hwq-f97r * GO-2025-4186 CVE-2017-18875 GHSA-9rr5-q43r-ccv4 * GO-2025-4187 CVE-2017-18876 GHSA-hjqh-j6rj-gh8q * GO-2025-4189 CVE-2017-18879 GHSA-498j-wxww-j897 * GO-2025-4190 CVE-2017-18877 GHSA-9x8x-w6g5-hx4w * GO-2025-4192 CVE-2025-66564 GHSA-4qg8-fj49-pxjh * GO-2025-4193 CVE-2025-66506 GHSA-f83f-xpx7-ffpw * GO-2025-4197 CVE-2017-18884 GHSA-876j-jfqf-m7j7 * GO-2025-4198 CVE-2017-18883 GHSA-w8cc-3h7q-jhc3 - Update to version 0.0.20251203T174324 2025-12-03T17:43:24Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4155 CVE-2025-61729 * GO-2025-4163 CVE-2025-60638 GHSA-f2hj-vpp9-6vm2 * GO-2025-4164 CVE-2025-60632 GHSA-vgq7-9r5r-j9v3 * GO-2025-4171 CVE-2025-66410 GHSA-jrhg-82w2-vvj7 * GO-2025-4172 CVE-2025-12756 GHSA-p6gj-jc38-x2m7 * GO-2025-4174 CVE-2025-13353 GHSA-69jw-4jj8-fcxm * GO-2025-4175 CVE-2025-61727 - Update to version 0.0.20251125T181218 2025-11-25T18:12:18Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4133 CVE-2025-55074 GHSA-9hh7-6558-qfp2 * GO-2025-4138 CVE-2025-65025 GHSA-h3mw-4f23-gwpw * GO-2025-4139 CVE-2025-65026 GHSA-hcpf-qv9m-vfgp * GO-2025-4146 CVE-2018-21258 GHSA-5mh6-p63g-3mv5 * GO-2025-4147 GHSA-6xvf-4vh9-mw47 * GO-2025-4149 CVE-2025-13425 GHSA-f786-75f3-74xj * GO-2025-4150 CVE-2025-64751 GHSA-2c64-vmv2-hgfc * GO-2025-4151 CVE-2025-65111 GHSA-9m7r-g8hg-x3vr * GO-2025-4152 CVE-2025-13357 GHSA-gmm6-j2g5-r52m * GO-2025-4153 CVE-2025-41115 GHSA-w62r-7c53-fmc5 * GO-2025-4156 CVE-2025-64761 GHSA-7ff4-jw48-3436 * GO-2025-4157 GHSA-2fcv-qww3-9v6h * GO-2025-4158 GHSA-rj4j-2jph-gg43 * GO-2025-4159 GHSA-xq4h-wqm2-668w * GO-2025-4160 CVE-2025-65965 GHSA-6gxw-85q2-q646 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4395,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4395,openSUSE-SLE-15.6-2025-4395 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ Link for SUSE-SU-2025:4395-1 https://lists.suse.com/pipermail/sle-security-updates/2025-December/023542.html E-Mail link for SUSE-SU-2025:4395-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-18870/ SUSE CVE CVE-2017-18870 page https://www.suse.com/security/cve/CVE-2017-18871/ SUSE CVE CVE-2017-18871 page https://www.suse.com/security/cve/CVE-2017-18875/ SUSE CVE CVE-2017-18875 page https://www.suse.com/security/cve/CVE-2017-18876/ SUSE CVE CVE-2017-18876 page https://www.suse.com/security/cve/CVE-2017-18877/ SUSE CVE CVE-2017-18877 page https://www.suse.com/security/cve/CVE-2017-18879/ SUSE CVE CVE-2017-18879 page https://www.suse.com/security/cve/CVE-2017-18883/ SUSE CVE CVE-2017-18883 page https://www.suse.com/security/cve/CVE-2017-18884/ SUSE CVE CVE-2017-18884 page https://www.suse.com/security/cve/CVE-2017-18902/ SUSE CVE CVE-2017-18902 page https://www.suse.com/security/cve/CVE-2018-21258/ SUSE CVE CVE-2018-21258 page https://www.suse.com/security/cve/CVE-2025-12756/ SUSE CVE CVE-2025-12756 page https://www.suse.com/security/cve/CVE-2025-13353/ SUSE CVE CVE-2025-13353 page https://www.suse.com/security/cve/CVE-2025-13357/ SUSE CVE CVE-2025-13357 page https://www.suse.com/security/cve/CVE-2025-13425/ SUSE CVE CVE-2025-13425 page https://www.suse.com/security/cve/CVE-2025-13870/ SUSE CVE CVE-2025-13870 page https://www.suse.com/security/cve/CVE-2025-41115/ SUSE CVE CVE-2025-41115 page https://www.suse.com/security/cve/CVE-2025-44005/ SUSE CVE CVE-2025-44005 page https://www.suse.com/security/cve/CVE-2025-55074/ SUSE CVE CVE-2025-55074 page https://www.suse.com/security/cve/CVE-2025-60632/ SUSE CVE CVE-2025-60632 page https://www.suse.com/security/cve/CVE-2025-60638/ SUSE CVE CVE-2025-60638 page https://www.suse.com/security/cve/CVE-2025-61725/ SUSE CVE CVE-2025-61725 page https://www.suse.com/security/cve/CVE-2025-61727/ SUSE CVE CVE-2025-61727 page https://www.suse.com/security/cve/CVE-2025-61729/ SUSE CVE CVE-2025-61729 page https://www.suse.com/security/cve/CVE-2025-64443/ SUSE CVE CVE-2025-64443 page https://www.suse.com/security/cve/CVE-2025-64750/ SUSE CVE CVE-2025-64750 page https://www.suse.com/security/cve/CVE-2025-64751/ SUSE CVE CVE-2025-64751 page https://www.suse.com/security/cve/CVE-2025-64761/ SUSE CVE CVE-2025-64761 page https://www.suse.com/security/cve/CVE-2025-65025/ SUSE CVE CVE-2025-65025 page https://www.suse.com/security/cve/CVE-2025-65026/ SUSE CVE CVE-2025-65026 page https://www.suse.com/security/cve/CVE-2025-65105/ SUSE CVE CVE-2025-65105 page https://www.suse.com/security/cve/CVE-2025-65111/ SUSE CVE CVE-2025-65111 page https://www.suse.com/security/cve/CVE-2025-65965/ SUSE CVE CVE-2025-65965 page https://www.suse.com/security/cve/CVE-2025-66406/ SUSE CVE CVE-2025-66406 page https://www.suse.com/security/cve/CVE-2025-66410/ SUSE CVE CVE-2025-66410 page https://www.suse.com/security/cve/CVE-2025-66411/ SUSE CVE CVE-2025-66411 page https://www.suse.com/security/cve/CVE-2025-66506/ SUSE CVE CVE-2025-66506 page https://www.suse.com/security/cve/CVE-2025-66564/ SUSE CVE CVE-2025-66564 page SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.6 An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case. CVE-2017-18870 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18870.html CVE-2017-18870 An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name. CVE-2017-18871 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18871.html CVE-2017-18871 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files. CVE-2017-18875 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18875.html CVE-2017-18875 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file. CVE-2017-18876 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18876.html CVE-2017-18876 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page. CVE-2017-18877 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18877.html CVE-2017-18877 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment. CVE-2017-18879 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18879.html CVE-2017-18879 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. CVE-2017-18883 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18883.html CVE-2017-18883 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. CVE-2017-18884 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18884.html CVE-2017-18884 An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. CVE-2017-18902 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2017-18902.html CVE-2017-18902 An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command. CVE-2018-21258 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2018-21258.html CVE-2018-21258 Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. CVE-2025-12756 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-12756.html CVE-2025-12756 In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program. CVE-2025-13353 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-13353.html CVE-2025-13353 Vault's Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0. CVE-2025-13357 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-13357.html CVE-2025-13357 A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR. CVE-2025-13425 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-13425.html CVE-2025-13425 https://bugzilla.suse.com/1254109 SUSE Bug 1254109 Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to CVE-2025-13870 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-13870.html CVE-2025-13870 SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true CVE-2025-41115 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-41115.html CVE-2025-41115 unknown CVE-2025-44005 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-44005.html CVE-2025-44005 Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects CVE-2025-55074 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-55074.html CVE-2025-55074 An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. CVE-2025-60632 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-60632.html CVE-2025-60632 An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API. CVE-2025-60638 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-60638.html CVE-2025-60638 The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. CVE-2025-61725 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-61725.html CVE-2025-61725 https://bugzilla.suse.com/1251253 SUSE Bug 1251253 An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. CVE-2025-61727 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-61727.html CVE-2025-61727 https://bugzilla.suse.com/1254430 SUSE Bug 1254430 Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. CVE-2025-61729 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-61729.html CVE-2025-61729 https://bugzilla.suse.com/1254431 SUSE Bug 1254431 MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a malicious advertisement can perform browser-based exploitation of MCP servers executing behind the gateway, including manipulating tools or other features exposed by those MCP servers. MCP Gateway is not affected when running in the default stdio mode, which does not listen on network ports. Version 0.28.0 fixes this issue. CVE-2025-64443 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-64443.html CVE-2025-64443 SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5. CVE-2025-64750 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-64750.html CVE-2025-64750 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1. CVE-2025-64751 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-64751.html CVE-2025-64751 https://bugzilla.suse.com/1254112 SUSE Bug 1254112 OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4. CVE-2025-64761 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-64761.html CVE-2025-64761 https://bugzilla.suse.com/1254225 SUSE Bug 1254225 esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136. CVE-2025-65025 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-65025.html CVE-2025-65025 esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136. CVE-2025-65026 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-65026.html CVE-2025-65026 Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5. CVE-2025-65105 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-65105.html CVE-2025-65105 SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1. CVE-2025-65111 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-65111.html CVE-2025-65111 Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options. CVE-2025-65965 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-65965.html CVE-2025-65965 Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0. CVE-2025-66406 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-66406.html CVE-2025-66406 Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder. CVE-2025-66410 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-66410.html CVE-2025-66410 Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4. CVE-2025-66411 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-66411.html CVE-2025-66411 Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3. CVE-2025-66506 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-66506.html CVE-2025-66506 Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3. CVE-2025-66564 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254395-1/ https://www.suse.com/security/cve/CVE-2025-66564.html CVE-2025-66564