Search

Find a vulnerability

Search criteria

    18 vulnerabilities found for Tumbleweed by openSUSE

    CVE-2025-62875 (GCVE-0-2025-62875)

    Vulnerability from nvd – Published: 2025-11-20 16:02 – Updated: 2025-11-21 16:28
    VLAI
    Title
    Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock
    Summary
    An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 7.8.0p0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-11-19 16:05
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-20T16:06:09.067Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/10/31/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62875",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-21T16:28:15.978148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-21T16:28:18.612Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html#reproducer"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "OpenSMTPD",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "7.8.0p0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-11-19T16:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u0026nbsp;allows local users to crash\u0026nbsp;OpenSMTPD.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.\u003c/div\u003e"
                }
              ],
              "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u00a0allows local users to crash\u00a0OpenSMTPD.\n\n\n\n\nThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T16:02:11.542Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62875"
            },
            {
              "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-62875",
        "datePublished": "2025-11-20T16:02:11.542Z",
        "dateReserved": "2025-10-24T10:34:22.764Z",
        "dateUpdated": "2025-11-21T16:28:18.612Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53881 (GCVE-0-2025-53881)

    Vulnerability from nvd – Published: 2025-10-02 13:51 – Updated: 2025-10-02 17:38
    VLAI
    Title
    SUSE-specific logrotate configuration allows escalation from mail user/group to root
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: ? , < 4.98.2-lp156.248.1 (semver)
    Create a notification for this product.
    Date Public
    2025-09-26 04:35
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53881",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T17:15:08.115894Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T17:38:57.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "exim",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "4.98.2-lp156.248.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-09-26T04:35:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.\u003cp\u003eThis issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.\u003c/p\u003e"
                }
              ],
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T13:51:56.848Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53881"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SUSE-specific logrotate configuration allows escalation from mail user/group to root",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-53881",
        "datePublished": "2025-10-02T13:51:56.848Z",
        "dateReserved": "2025-07-11T10:53:52.681Z",
        "dateUpdated": "2025-10-02T17:38:57.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-46810 (GCVE-0-2025-46810)

    Vulnerability from nvd – Published: 2025-09-02 11:34 – Updated: 2026-02-26 17:49
    VLAI
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.29.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    References
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: ? , < 2.11.29 (semver)
    Create a notification for this product.
    Date Public
    2025-08-30 03:45
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-46810",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T03:55:31.871174Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:49:54.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "traefik2",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "2.11.29",
                  "status": "affected",
                  "version": "?",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2025-08-30T03:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.\u0026nbsp;\u003cp\u003eThis issue affects Tumbleweed: from ? before 2.11.29.\u003c/p\u003e"
                }
              ],
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.\u00a0This issue affects Tumbleweed: from ? before 2.11.29."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-02T11:35:54.497Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1245204"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-46810",
        "datePublished": "2025-09-02T11:34:32.138Z",
        "dateReserved": "2025-04-30T11:28:04.728Z",
        "dateUpdated": "2026-02-26T17:49:54.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-49506 (GCVE-0-2024-49506)

    Vulnerability from nvd – Published: 2024-11-13 14:15 – Updated: 2024-11-21 16:14
    VLAI
    Title
    Fixed temporary file path in aeon-checks allows fixing of disk encryption key
    Summary
    Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-377 - Insecure Temporary File
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: 0 , < 1.0.2 (semver)
    Create a notification for this product.
    openSUSE Tumbleweed Affected: 0 , < 1.2.4 (semver)
    Create a notification for this product.
    Date Public
    2024-11-05 11:13
    Credits
    Mattthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T15:04:50.876139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-21T16:14:24.983Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "aeon-check",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "1.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tik",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "1.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mattthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2024-11-05T11:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem\u003cbr\u003e"
                }
              ],
              "value": "Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-377",
                  "description": "CWE-377: Insecure Temporary File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T14:15:09.354Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-49506"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Fixed temporary file path in aeon-checks allows fixing of disk encryption key",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-49506",
        "datePublished": "2024-11-13T14:15:09.354Z",
        "dateReserved": "2024-10-15T13:20:07.748Z",
        "dateUpdated": "2024-11-21T16:14:24.983Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-49505 (GCVE-0-2024-49505)

    Vulnerability from nvd – Published: 2024-11-13 14:21 – Updated: 2024-11-13 18:38
    VLAI
    Title
    XSS vulnerability found in OpenSuse MirrorCache
    Summary
    A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the  REGEX and P parameters. This issue affects MirrorCache before 1.083.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: 0 , < 1.083 (semver)
    Create a notification for this product.
    suse opensuse_tumbleweed Affected: 0 , < 1.0.83 (semver)
        cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Erick Fernando Xavier de Oliveira
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "opensuse_tumbleweed",
                "vendor": "suse",
                "versions": [
                  {
                    "lessThan": "1.0.83",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49505",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T18:37:28.470033Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T18:38:11.311Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "MirrorCache",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "1.083",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Erick Fernando Xavier de Oliveira"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the\u0026nbsp; REGEX and P parameters.\u003cbr\u003e\u003cp\u003eThis issue affects MirrorCache before 1.083.\u003c/p\u003e"
                }
              ],
              "value": "A Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the\u00a0 REGEX and P parameters.\nThis issue affects MirrorCache before 1.083."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T14:21:00.317Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-49505"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "XSS vulnerability found in OpenSuse MirrorCache",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-49505",
        "datePublished": "2024-11-13T14:21:00.317Z",
        "dateReserved": "2024-10-15T13:20:07.748Z",
        "dateUpdated": "2024-11-13T18:38:11.311Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32183 (GCVE-0-2023-32183)

    Vulnerability from nvd – Published: 2023-07-07 08:11 – Updated: 2024-11-14 19:43
    VLAI
    Summary
    Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root This issue affects openSUSE Tumbleweed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Unaffected: 2.6.4+git.1682509819.1ff135ea-269.5
    Create a notification for this product.
    Credits
    Johannes Segitz (SUSE)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:10:23.763Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32183"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32183",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-14T19:42:58.703938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-14T19:43:09.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "hawk2",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.6.4+git.1682509819.1ff135ea-269.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Johannes Segitz (SUSE)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root\u003cbr\u003e\u003cp\u003eThis issue affects openSUSE Tumbleweed.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root\nThis issue affects openSUSE Tumbleweed.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-07T08:12:28.190Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32183"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2023-32183",
        "datePublished": "2023-07-07T08:11:07.372Z",
        "dateReserved": "2023-05-04T08:30:59.320Z",
        "dateUpdated": "2024-11-14T19:43:09.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31250 (GCVE-0-2022-31250)

    Vulnerability from nvd – Published: 2022-07-20 07:55 – Updated: 2024-09-17 01:06
    VLAI
    Title
    keylime %post scriplet allows for privilege escalation from keylime user to root
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1.
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    References
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: keylime , < 6.4.2-1.1 (custom)
    Create a notification for this product.
    Date Public
    2022-06-24 00:00
    Credits
    Johannes Segitz from SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:11:39.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1200885"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "6.4.2-1.1",
                  "status": "affected",
                  "version": "keylime",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Johannes Segitz from SUSE"
            }
          ],
          "datePublic": "2022-06-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-13T00:00:00.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1200885"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1200885",
            "defect": [
              "1200885"
            ],
            "discovery": "INTERNAL"
          },
          "title": "keylime %post scriplet allows for privilege escalation from keylime user to root",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2022-31250",
        "datePublished": "2022-07-20T07:55:11.167Z",
        "dateReserved": "2022-05-20T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:06:35.227Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25315 (GCVE-0-2021-25315)

    Vulnerability from nvd – Published: 2021-03-03 09:55 – Updated: 2024-09-16 21:03
    VLAI
    Title
    salt-api unauthenticated remote code execution
    Summary
    CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
    CWE
    • CWE-287 - CWE - CWE-287: Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    SUSE SUSE Linux Enterprise Server 15 SP 3 Affected: salt , < 3002.2-3 (custom)
    Create a notification for this product.
    openSUSE Tumbleweed Affected: salt , ≤ 3002.2-2.1 (custom)
    Create a notification for this product.
    Date Public
    2021-03-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:03:04.112Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1182382"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SUSE Linux Enterprise Server 15 SP 3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "3002.2-3",
                  "status": "affected",
                  "version": "salt",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "3002.2-2.1",
                  "status": "affected",
                  "version": "salt",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE - CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-22T00:00:00.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1182382"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1182382",
            "defect": [
              "1182382"
            ],
            "discovery": "INTERNAL"
          },
          "title": "salt-api unauthenticated remote code execution",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2021-25315",
        "datePublished": "2021-03-03T09:55:16.356Z",
        "dateReserved": "2021-01-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:03:45.719Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8026 (GCVE-0-2020-8026)

    Vulnerability from nvd – Published: 2020-08-07 09:25 – Updated: 2024-09-16 16:57
    VLAI
    Title
    inn: non-root owned files
    Summary
    A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions.
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    openSUSE openSUSE Leap 15.2 Affected: inn , ≤ 2.6.2-lp152.1.26 (custom)
    Create a notification for this product.
    openSUSE openSUSE Tumbleweed Affected: inn , ≤ 2.6.2-4.2 (custom)
    Create a notification for this product.
    openSUSE openSUSE Leap 15.1 Affected: inn , ≤ 2.5.4-lp151.3.3.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-24 00:00
    Credits
    Matthias Gerstner/Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:48:24.996Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"
              },
              {
                "name": "openSUSE-SU-2020:1271",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"
              },
              {
                "name": "openSUSE-SU-2020:1272",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"
              },
              {
                "name": "openSUSE-SU-2020:1304",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"
              },
              {
                "name": "openSUSE-SU-2020:1427",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openSUSE Leap 15.2",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2-lp152.1.26",
                  "status": "affected",
                  "version": "inn",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "openSUSE Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2-4.2",
                  "status": "affected",
                  "version": "inn",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "openSUSE Leap 15.1",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.4-lp151.3.3.1",
                  "status": "affected",
                  "version": "inn",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Matthias Gerstner/Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2020-07-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-18T17:06:35.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"
            },
            {
              "name": "openSUSE-SU-2020:1271",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"
            },
            {
              "name": "openSUSE-SU-2020:1272",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"
            },
            {
              "name": "openSUSE-SU-2020:1304",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"
            },
            {
              "name": "openSUSE-SU-2020:1427",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172573",
            "defect": [
              "1172573"
            ],
            "discovery": "INTERNAL"
          },
          "title": "inn: non-root owned files",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@suse.com",
              "DATE_PUBLIC": "2020-07-24T00:00:00.000Z",
              "ID": "CVE-2020-8026",
              "STATE": "PUBLIC",
              "TITLE": "inn: non-root owned files"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "openSUSE Leap 15.2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "inn",
                                "version_value": "2.6.2-lp152.1.26"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "openSUSE Tumbleweed",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "inn",
                                "version_value": "2.6.2-4.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "openSUSE Leap 15.1",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "inn",
                                "version_value": "2.5.4-lp151.3.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "openSUSE"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Matthias Gerstner/Johannes Segitz of SUSE"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-276: Incorrect Default Permissions"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.suse.com/show_bug.cgi?id=1172573",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"
                },
                {
                  "name": "openSUSE-SU-2020:1271",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"
                },
                {
                  "name": "openSUSE-SU-2020:1272",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"
                },
                {
                  "name": "openSUSE-SU-2020:1304",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"
                },
                {
                  "name": "openSUSE-SU-2020:1427",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"
                }
              ]
            },
            "source": {
              "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172573",
              "defect": [
                "1172573"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2020-8026",
        "datePublished": "2020-08-07T09:25:13.939Z",
        "dateReserved": "2020-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:57:41.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-62875 (GCVE-0-2025-62875)

    Vulnerability from cvelistv5 – Published: 2025-11-20 16:02 – Updated: 2025-11-21 16:28
    VLAI
    Title
    Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock
    Summary
    An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 7.8.0p0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-11-19 16:05
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-20T16:06:09.067Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/10/31/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62875",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-21T16:28:15.978148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-21T16:28:18.612Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html#reproducer"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "OpenSMTPD",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "7.8.0p0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-11-19T16:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u0026nbsp;allows local users to crash\u0026nbsp;OpenSMTPD.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.\u003c/div\u003e"
                }
              ],
              "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u00a0allows local users to crash\u00a0OpenSMTPD.\n\n\n\n\nThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T16:02:11.542Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62875"
            },
            {
              "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-62875",
        "datePublished": "2025-11-20T16:02:11.542Z",
        "dateReserved": "2025-10-24T10:34:22.764Z",
        "dateUpdated": "2025-11-21T16:28:18.612Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53881 (GCVE-0-2025-53881)

    Vulnerability from cvelistv5 – Published: 2025-10-02 13:51 – Updated: 2025-10-02 17:38
    VLAI
    Title
    SUSE-specific logrotate configuration allows escalation from mail user/group to root
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: ? , < 4.98.2-lp156.248.1 (semver)
    Create a notification for this product.
    Date Public
    2025-09-26 04:35
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53881",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T17:15:08.115894Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T17:38:57.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "exim",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "4.98.2-lp156.248.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-09-26T04:35:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.\u003cp\u003eThis issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1.\u003c/p\u003e"
                }
              ],
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in logrotate config in the exim package allowed privilege escalation from mail user/group to root.This issue affects Tumbleweed: from ? before 4.98.2-lp156.248.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T13:51:56.848Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53881"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SUSE-specific logrotate configuration allows escalation from mail user/group to root",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-53881",
        "datePublished": "2025-10-02T13:51:56.848Z",
        "dateReserved": "2025-07-11T10:53:52.681Z",
        "dateUpdated": "2025-10-02T17:38:57.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-46810 (GCVE-0-2025-46810)

    Vulnerability from cvelistv5 – Published: 2025-09-02 11:34 – Updated: 2026-02-26 17:49
    VLAI
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.29.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    References
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: ? , < 2.11.29 (semver)
    Create a notification for this product.
    Date Public
    2025-08-30 03:45
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-46810",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T03:55:31.871174Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:49:54.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "traefik2",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "2.11.29",
                  "status": "affected",
                  "version": "?",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2025-08-30T03:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.\u0026nbsp;\u003cp\u003eThis issue affects Tumbleweed: from ? before 2.11.29.\u003c/p\u003e"
                }
              ],
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.\u00a0This issue affects Tumbleweed: from ? before 2.11.29."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-02T11:35:54.497Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1245204"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-46810",
        "datePublished": "2025-09-02T11:34:32.138Z",
        "dateReserved": "2025-04-30T11:28:04.728Z",
        "dateUpdated": "2026-02-26T17:49:54.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-49505 (GCVE-0-2024-49505)

    Vulnerability from cvelistv5 – Published: 2024-11-13 14:21 – Updated: 2024-11-13 18:38
    VLAI
    Title
    XSS vulnerability found in OpenSuse MirrorCache
    Summary
    A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the  REGEX and P parameters. This issue affects MirrorCache before 1.083.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: 0 , < 1.083 (semver)
    Create a notification for this product.
    suse opensuse_tumbleweed Affected: 0 , < 1.0.83 (semver)
        cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Erick Fernando Xavier de Oliveira
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "opensuse_tumbleweed",
                "vendor": "suse",
                "versions": [
                  {
                    "lessThan": "1.0.83",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49505",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T18:37:28.470033Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T18:38:11.311Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "MirrorCache",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "1.083",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Erick Fernando Xavier de Oliveira"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the\u0026nbsp; REGEX and P parameters.\u003cbr\u003e\u003cp\u003eThis issue affects MirrorCache before 1.083.\u003c/p\u003e"
                }
              ],
              "value": "A Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the\u00a0 REGEX and P parameters.\nThis issue affects MirrorCache before 1.083."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T14:21:00.317Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-49505"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "XSS vulnerability found in OpenSuse MirrorCache",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-49505",
        "datePublished": "2024-11-13T14:21:00.317Z",
        "dateReserved": "2024-10-15T13:20:07.748Z",
        "dateUpdated": "2024-11-13T18:38:11.311Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-49506 (GCVE-0-2024-49506)

    Vulnerability from cvelistv5 – Published: 2024-11-13 14:15 – Updated: 2024-11-21 16:14
    VLAI
    Title
    Fixed temporary file path in aeon-checks allows fixing of disk encryption key
    Summary
    Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-377 - Insecure Temporary File
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: 0 , < 1.0.2 (semver)
    Create a notification for this product.
    openSUSE Tumbleweed Affected: 0 , < 1.2.4 (semver)
    Create a notification for this product.
    Date Public
    2024-11-05 11:13
    Credits
    Mattthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T15:04:50.876139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-21T16:14:24.983Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "aeon-check",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "1.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tik",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "1.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mattthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2024-11-05T11:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem\u003cbr\u003e"
                }
              ],
              "value": "Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-377",
                  "description": "CWE-377: Insecure Temporary File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T14:15:09.354Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-49506"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Fixed temporary file path in aeon-checks allows fixing of disk encryption key",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-49506",
        "datePublished": "2024-11-13T14:15:09.354Z",
        "dateReserved": "2024-10-15T13:20:07.748Z",
        "dateUpdated": "2024-11-21T16:14:24.983Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32183 (GCVE-0-2023-32183)

    Vulnerability from cvelistv5 – Published: 2023-07-07 08:11 – Updated: 2024-11-14 19:43
    VLAI
    Summary
    Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root This issue affects openSUSE Tumbleweed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Unaffected: 2.6.4+git.1682509819.1ff135ea-269.5
    Create a notification for this product.
    Credits
    Johannes Segitz (SUSE)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:10:23.763Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32183"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32183",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-14T19:42:58.703938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-14T19:43:09.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "packageName": "hawk2",
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.6.4+git.1682509819.1ff135ea-269.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Johannes Segitz (SUSE)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root\u003cbr\u003e\u003cp\u003eThis issue affects openSUSE Tumbleweed.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to root\nThis issue affects openSUSE Tumbleweed.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-07T08:12:28.190Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32183"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2023-32183",
        "datePublished": "2023-07-07T08:11:07.372Z",
        "dateReserved": "2023-05-04T08:30:59.320Z",
        "dateUpdated": "2024-11-14T19:43:09.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31250 (GCVE-0-2022-31250)

    Vulnerability from cvelistv5 – Published: 2022-07-20 07:55 – Updated: 2024-09-17 01:06
    VLAI
    Title
    keylime %post scriplet allows for privilege escalation from keylime user to root
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1.
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    References
    Impacted products
    Vendor Product Version
    openSUSE Tumbleweed Affected: keylime , < 6.4.2-1.1 (custom)
    Create a notification for this product.
    Date Public
    2022-06-24 00:00
    Credits
    Johannes Segitz from SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:11:39.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1200885"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThan": "6.4.2-1.1",
                  "status": "affected",
                  "version": "keylime",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Johannes Segitz from SUSE"
            }
          ],
          "datePublic": "2022-06-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in keylime of openSUSE Tumbleweed allows local attackers to escalate from the keylime user to root. This issue affects: openSUSE Tumbleweed keylime versions prior to 6.4.2-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-13T00:00:00.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1200885"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1200885",
            "defect": [
              "1200885"
            ],
            "discovery": "INTERNAL"
          },
          "title": "keylime %post scriplet allows for privilege escalation from keylime user to root",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2022-31250",
        "datePublished": "2022-07-20T07:55:11.167Z",
        "dateReserved": "2022-05-20T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:06:35.227Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25315 (GCVE-0-2021-25315)

    Vulnerability from cvelistv5 – Published: 2021-03-03 09:55 – Updated: 2024-09-16 21:03
    VLAI
    Title
    salt-api unauthenticated remote code execution
    Summary
    CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
    CWE
    • CWE-287 - CWE - CWE-287: Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    SUSE SUSE Linux Enterprise Server 15 SP 3 Affected: salt , < 3002.2-3 (custom)
    Create a notification for this product.
    openSUSE Tumbleweed Affected: salt , ≤ 3002.2-2.1 (custom)
    Create a notification for this product.
    Date Public
    2021-03-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:03:04.112Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1182382"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SUSE Linux Enterprise Server 15 SP 3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "3002.2-3",
                  "status": "affected",
                  "version": "salt",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "3002.2-2.1",
                  "status": "affected",
                  "version": "salt",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE - CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-22T00:00:00.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1182382"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1182382",
            "defect": [
              "1182382"
            ],
            "discovery": "INTERNAL"
          },
          "title": "salt-api unauthenticated remote code execution",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2021-25315",
        "datePublished": "2021-03-03T09:55:16.356Z",
        "dateReserved": "2021-01-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:03:45.719Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8026 (GCVE-0-2020-8026)

    Vulnerability from cvelistv5 – Published: 2020-08-07 09:25 – Updated: 2024-09-16 16:57
    VLAI
    Title
    inn: non-root owned files
    Summary
    A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions.
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    openSUSE openSUSE Leap 15.2 Affected: inn , ≤ 2.6.2-lp152.1.26 (custom)
    Create a notification for this product.
    openSUSE openSUSE Tumbleweed Affected: inn , ≤ 2.6.2-4.2 (custom)
    Create a notification for this product.
    openSUSE openSUSE Leap 15.1 Affected: inn , ≤ 2.5.4-lp151.3.3.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-24 00:00
    Credits
    Matthias Gerstner/Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:48:24.996Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"
              },
              {
                "name": "openSUSE-SU-2020:1271",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"
              },
              {
                "name": "openSUSE-SU-2020:1272",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"
              },
              {
                "name": "openSUSE-SU-2020:1304",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"
              },
              {
                "name": "openSUSE-SU-2020:1427",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openSUSE Leap 15.2",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2-lp152.1.26",
                  "status": "affected",
                  "version": "inn",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "openSUSE Tumbleweed",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2-4.2",
                  "status": "affected",
                  "version": "inn",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "openSUSE Leap 15.1",
              "vendor": "openSUSE",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.4-lp151.3.3.1",
                  "status": "affected",
                  "version": "inn",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Matthias Gerstner/Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2020-07-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-18T17:06:35.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"
            },
            {
              "name": "openSUSE-SU-2020:1271",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"
            },
            {
              "name": "openSUSE-SU-2020:1272",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"
            },
            {
              "name": "openSUSE-SU-2020:1304",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"
            },
            {
              "name": "openSUSE-SU-2020:1427",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172573",
            "defect": [
              "1172573"
            ],
            "discovery": "INTERNAL"
          },
          "title": "inn: non-root owned files",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@suse.com",
              "DATE_PUBLIC": "2020-07-24T00:00:00.000Z",
              "ID": "CVE-2020-8026",
              "STATE": "PUBLIC",
              "TITLE": "inn: non-root owned files"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "openSUSE Leap 15.2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "inn",
                                "version_value": "2.6.2-lp152.1.26"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "openSUSE Tumbleweed",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "inn",
                                "version_value": "2.6.2-4.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "openSUSE Leap 15.1",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "inn",
                                "version_value": "2.5.4-lp151.3.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "openSUSE"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Matthias Gerstner/Johannes Segitz of SUSE"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior versions. openSUSE Tumbleweed inn version 2.6.2-4.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.3.3.1 and prior versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-276: Incorrect Default Permissions"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.suse.com/show_bug.cgi?id=1172573",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.suse.com/show_bug.cgi?id=1172573"
                },
                {
                  "name": "openSUSE-SU-2020:1271",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00064.html"
                },
                {
                  "name": "openSUSE-SU-2020:1272",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00063.html"
                },
                {
                  "name": "openSUSE-SU-2020:1304",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00074.html"
                },
                {
                  "name": "openSUSE-SU-2020:1427",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00038.html"
                }
              ]
            },
            "source": {
              "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1172573",
              "defect": [
                "1172573"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2020-8026",
        "datePublished": "2020-08-07T09:25:13.939Z",
        "dateReserved": "2020-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:57:41.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }