Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latest by SUSE

    CVE-2025-53880 (GCVE-0-2025-53880)

    Vulnerability from nvd – Published: 2025-10-30 10:31 – Updated: 2026-02-26 16:56
    VLAI
    Title
    susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal
    Summary
    A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Date Public
    2025-10-28 07:12
    Credits
    Paolo Perego of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53880",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-31T03:55:25.918910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:56:50.977Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "Container suse/manager/4.3/proxy-httpd:latest",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "4.3.11-150400.3.15.3",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "Container suse/manager/5.0/x86_64/proxy-httpd:latest",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "5.0.3-150600.3.6.4",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latest",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "5.1.3-150700.3.3.3",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "SUSE Manager Proxy LTS 4.3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "4.3.11-150400.3.15.3",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Paolo Perego of SUSE"
            }
          ],
          "datePublic": "2025-10-28T07:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eA Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-35",
                  "description": "CWE-35: Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-30T10:33:26.970Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53880"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-53880",
        "datePublished": "2025-10-30T10:31:15.866Z",
        "dateReserved": "2025-07-11T10:53:52.681Z",
        "dateUpdated": "2026-02-26T16:56:50.977Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53880 (GCVE-0-2025-53880)

    Vulnerability from cvelistv5 – Published: 2025-10-30 10:31 – Updated: 2026-02-26 16:56
    VLAI
    Title
    susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal
    Summary
    A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Date Public
    2025-10-28 07:12
    Credits
    Paolo Perego of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53880",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-31T03:55:25.918910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:56:50.977Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "Container suse/manager/4.3/proxy-httpd:latest",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "4.3.11-150400.3.15.3",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "Container suse/manager/5.0/x86_64/proxy-httpd:latest",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "5.0.3-150600.3.6.4",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latest",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "5.1.3-150700.3.3.3",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "susemanager-tftpsync-recv",
              "product": "SUSE Manager Proxy LTS 4.3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "4.3.11-150400.3.15.3",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Paolo Perego of SUSE"
            }
          ],
          "datePublic": "2025-10-28T07:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eA Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-35",
                  "description": "CWE-35: Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-30T10:33:26.970Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53880"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-53880",
        "datePublished": "2025-10-30T10:31:15.866Z",
        "dateReserved": "2025-07-11T10:53:52.681Z",
        "dateUpdated": "2026-02-26T16:56:50.977Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }