Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for openSUSE Tumbleweed by SUSE

    CVE-2026-41051 (GCVE-0-2026-41051)

    Vulnerability from nvd – Published: 2026-05-13 08:37 – Updated: 2026-05-13 19:24
    VLAI
    Title
    csync2 uses insecure temporary directories when compiled with C99 or later
    Summary
    csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 2.0+git.1600444747.83b3644-3.1 (custom)
    Create a notification for this product.
    Credits
    Wolfgang Frisch of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41051",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T19:23:57.417815Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-367",
                    "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T19:24:11.916Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "csync2",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "2.0+git.1600444747.83b3644-3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wolfgang Frisch of SUSE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories."
                }
              ],
              "value": "csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T08:38:08.507Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41051"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "csync2 uses insecure temporary directories when compiled with C99 or later",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2026-41051",
        "datePublished": "2026-05-13T08:37:38.405Z",
        "dateReserved": "2026-04-16T13:37:50.680Z",
        "dateUpdated": "2026-05-13T19:24:11.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62875 (GCVE-0-2025-62875)

    Vulnerability from nvd – Published: 2025-11-20 16:02 – Updated: 2025-11-21 16:28
    VLAI
    Title
    Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock
    Summary
    An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 7.8.0p0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-11-19 16:05
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-20T16:06:09.067Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/10/31/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62875",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-21T16:28:15.978148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-21T16:28:18.612Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html#reproducer"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "OpenSMTPD",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "7.8.0p0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-11-19T16:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u0026nbsp;allows local users to crash\u0026nbsp;OpenSMTPD.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.\u003c/div\u003e"
                }
              ],
              "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u00a0allows local users to crash\u00a0OpenSMTPD.\n\n\n\n\nThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T16:02:11.542Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62875"
            },
            {
              "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-62875",
        "datePublished": "2025-11-20T16:02:11.542Z",
        "dateReserved": "2025-10-24T10:34:22.764Z",
        "dateUpdated": "2025-11-21T16:28:18.612Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53882 (GCVE-0-2025-53882)

    Vulnerability from nvd – Published: 2025-07-23 09:31 – Updated: 2026-02-26 17:50
    VLAI
    Title
    The logrotate configuration in the python-mailman of openSUSE allows the mailman user to sent SIGHUP to arbitrary proceess
    Summary
    A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes. This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 3.3.10-2.1 (custom)
    Create a notification for this product.
    Date Public
    2025-07-15 10:33
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53882",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-29T03:55:20.012924Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:50:17.345Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "mailman3",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "3.3.10-2.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-07-15T10:33:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes.\u0026nbsp;\u003cp\u003eThis issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.\u003c/p\u003e"
                }
              ],
              "value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes.\u00a0This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T07:23:06.351Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53882"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "The logrotate configuration in the python-mailman of openSUSE allows the mailman user to sent SIGHUP to arbitrary proceess",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-53882",
        "datePublished": "2025-07-23T09:31:18.547Z",
        "dateReserved": "2025-07-11T10:53:52.681Z",
        "dateUpdated": "2026-02-26T17:50:17.345Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-23394 (GCVE-0-2025-23394)

    Vulnerability from nvd – Published: 2025-05-26 15:34 – Updated: 2025-05-27 14:05
    VLAI
    Title
    daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 3.8.4-2.1 (custom)
    Create a notification for this product.
    Date Public
    2025-04-29 08:20
    Credits
    Matthias Gerstner, SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-27T14:04:35.779860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-27T14:05:20.489Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "cyrus-imapd",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "3.8.4-2.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner, SUSE"
            }
          ],
          "datePublic": "2025-04-29T08:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.\u003cp\u003eThis issue affects openSUSE Tumbleweed  cyrus-imapd before 3.8.4-2.1.\u003c/p\u003e"
                }
              ],
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed  cyrus-imapd before 3.8.4-2.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-26T15:34:32.562Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-23394",
        "datePublished": "2025-05-26T15:34:32.562Z",
        "dateReserved": "2025-01-15T12:39:03.324Z",
        "dateUpdated": "2025-05-27T14:05:20.489Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-23386 (GCVE-0-2025-23386)

    Vulnerability from nvd – Published: 2025-04-10 09:42 – Updated: 2025-04-10 14:22
    VLAI
    Title
    gerbera: Privilege escalation from user gerbera to root because of insecure %post script
    Summary
    A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 2.5.0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-01-21 15:59
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23386",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T13:59:12.257573Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T14:22:23.310Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "gerbera",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "2.5.0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2025-01-21T15:59:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,\u003cp\u003eThis issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.\u003c/p\u003e"
                }
              ],
              "value": "A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-10T09:42:18.391Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23386"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "gerbera: Privilege escalation from user gerbera to root because of insecure %post script",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-23386",
        "datePublished": "2025-04-10T09:42:18.391Z",
        "dateReserved": "2025-01-15T12:39:03.323Z",
        "dateUpdated": "2025-04-10T14:22:23.310Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-49504 (GCVE-0-2024-49504)

    Vulnerability from nvd – Published: 2024-11-13 14:44 – Updated: 2024-11-13 18:32
    VLAI
    Title
    grub2 allows bypassing TPM-bound disk encryption on SL(E)M encrypted Images
    Summary
    grub2 allowed attackers with access to the grub shell to access files on the encrypted disks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 2.12-28.1 (custom)
    Create a notification for this product.
    suse opensuse_tumbleweed Affected: 0 , < 2.12-28.1 (custom)
        cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Fabian Vogt of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "opensuse_tumbleweed",
                "vendor": "suse",
                "versions": [
                  {
                    "lessThan": "2.12-28.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49504",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T18:31:10.396372Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T18:32:06.515Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "grub2",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "2.12-28.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fabian Vogt of SUSE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "grub2 allowed attackers with access to the grub shell to access files on the encrypted disks.\u003cbr\u003e"
                }
              ],
              "value": "grub2 allowed attackers with access to the grub shell to access files on the encrypted disks."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T14:44:23.659Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-49504"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "grub2 allows bypassing TPM-bound disk encryption on SL(E)M encrypted Images",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-49504",
        "datePublished": "2024-11-13T14:44:23.659Z",
        "dateReserved": "2024-10-15T13:20:07.748Z",
        "dateUpdated": "2024-11-13T18:32:06.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-22034 (GCVE-0-2024-22034)

    Vulnerability from nvd – Published: 2024-10-16 13:46 – Updated: 2024-10-31 13:34
    VLAI
    Title
    Crafted projects can overwrite special files in the .osc config directory
    Summary
    Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    SUSE SUSE Linux Enterprise Desktop 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Development Tools 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Desktop 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Development Tools 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 12 SP5 Affected: ? , < 0.183.0-15.18.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 12 SP5 Affected: ? , < 0.183.0-15.18.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Software Development Kit 12 SP5 Affected: ? , < 0.183.0-15.18.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Tumbleweed Affected: ? , < 1.9.0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2024-08-19 11:42
    Credits
    Daniel Mach of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22034",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:01:15.655473Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-31T13:34:34.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Desktop 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Desktop 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server 12 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.183.0-15.18.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.183.0-15.18.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Software Development Kit 12 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.183.0-15.18.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "openSUSE Leap 15.5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "openSUSE Leap 15.6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Mach of SUSE"
            }
          ],
          "datePublic": "2024-08-19T11:42:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim\u003cbr\u003e"
                }
              ],
              "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T13:46:08.416Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Crafted projects can overwrite special files in the .osc config directory",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-22034",
        "datePublished": "2024-10-16T13:46:08.416Z",
        "dateReserved": "2024-01-04T12:38:34.024Z",
        "dateUpdated": "2024-10-31T13:34:34.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-22033 (GCVE-0-2024-22033)

    Vulnerability from nvd – Published: 2024-10-16 13:42 – Updated: 2024-10-16 14:07
    VLAI
    Title
    obs-service-download_url is vulnerable to argument injection
    Summary
    The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    SUSE SUSE Package Hub 15 SP5 Affected: ? , < 0.2.1-bp155.3.3.1 (custom)
    Create a notification for this product.
    SUSE SUSE Package Hub 15 SP6 Affected: ? , < 0.2.1-bp156.2.3.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.5 Affected: ? , < 0.2.1-bp155.3.3.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.6 Affected: ? , < 0.2.1-bp156.2.3.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Tumbleweed Affected: ? , < 0.2.1-1.1 (custom)
    Create a notification for this product.
    Date Public
    2024-07-11 14:21
    Credits
    Maxime Rinaudo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22033",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:07:38.141746Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T14:07:57.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "SUSE Package Hub 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp155.3.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "SUSE Package Hub 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp156.2.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "openSUSE Leap 15.5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp155.3.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "openSUSE Leap 15.6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp156.2.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Maxime Rinaudo"
            }
          ],
          "datePublic": "2024-07-11T14:21:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps\u003cbr\u003e"
                }
              ],
              "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T13:42:46.559Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "obs-service-download_url is vulnerable to argument injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-22033",
        "datePublished": "2024-10-16T13:42:46.559Z",
        "dateReserved": "2024-01-04T12:38:34.024Z",
        "dateUpdated": "2024-10-16T14:07:57.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-22029 (GCVE-0-2024-22029)

    Vulnerability from nvd – Published: 2024-10-16 13:20 – Updated: 2025-08-26 20:18
    VLAI
    Title
    tomcat packaging allows for escalation to root from tomcat user
    Summary
    Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    SUSE Container suse/manager/5.0/x86_64/server:5.0.0-beta1.2.122 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Enterprise Storage 7.1 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP2-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP3-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP4-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP2 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP3 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP4 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Manager Server 4.3 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Tumbleweed Affected: ? , < 9.0.85-3.1 (custom)
    Create a notification for this product.
    Date Public
    2024-02-14 14:59
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22029",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:33:12.827088Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-26T20:18:11.916Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "Container suse/manager/5.0/x86_64/server:5.0.0-beta1.2.122",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Enterprise Storage 7.1",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP2-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP3-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP4-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Manager Server 4.3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "openSUSE Leap 15.5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2024-02-14T14:59:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T13:20:47.698Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22029"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "tomcat packaging allows for escalation to root from tomcat user",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-22029",
        "datePublished": "2024-10-16T13:20:47.698Z",
        "dateReserved": "2024-01-04T12:38:34.023Z",
        "dateUpdated": "2025-08-26T20:18:11.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32190 (GCVE-0-2023-32190)

    Vulnerability from nvd – Published: 2024-10-16 12:03 – Updated: 2025-03-19 14:39
    VLAI
    Title
    mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable
    Summary
    mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 0.26-37.1 (custom)
    Create a notification for this product.
    suse opensuse_tumbleweed Affected: 0 , < 0.26-37.1 (custom)
        cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-25 15:19
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "opensuse_tumbleweed",
                "vendor": "suse",
                "versions": [
                  {
                    "lessThan": "0.26-37.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32190",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:58:57.464292Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-125",
                    "description": "CWE-125 Out-of-bounds Read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T14:39:07.458Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "mlocate",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.26-37.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz  of SUSE"
            }
          ],
          "datePublic": "2024-01-25T15:19:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "mlocate\u0027s %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "mlocate\u0027s %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T12:03:05.078Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "mlocate\u0027s %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2023-32190",
        "datePublished": "2024-10-16T12:03:05.078Z",
        "dateReserved": "2023-05-04T08:30:59.321Z",
        "dateUpdated": "2025-03-19T14:39:07.458Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-41051 (GCVE-0-2026-41051)

    Vulnerability from cvelistv5 – Published: 2026-05-13 08:37 – Updated: 2026-05-13 19:24
    VLAI
    Title
    csync2 uses insecure temporary directories when compiled with C99 or later
    Summary
    csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 2.0+git.1600444747.83b3644-3.1 (custom)
    Create a notification for this product.
    Credits
    Wolfgang Frisch of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41051",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T19:23:57.417815Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-367",
                    "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T19:24:11.916Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "csync2",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "2.0+git.1600444747.83b3644-3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wolfgang Frisch of SUSE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories."
                }
              ],
              "value": "csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T08:38:08.507Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41051"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "csync2 uses insecure temporary directories when compiled with C99 or later",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2026-41051",
        "datePublished": "2026-05-13T08:37:38.405Z",
        "dateReserved": "2026-04-16T13:37:50.680Z",
        "dateUpdated": "2026-05-13T19:24:11.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62875 (GCVE-0-2025-62875)

    Vulnerability from cvelistv5 – Published: 2025-11-20 16:02 – Updated: 2025-11-21 16:28
    VLAI
    Title
    Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock
    Summary
    An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 7.8.0p0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-11-19 16:05
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-20T16:06:09.067Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/10/31/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62875",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-21T16:28:15.978148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-21T16:28:18.612Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html#reproducer"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "OpenSMTPD",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "7.8.0p0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-11-19T16:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eAn Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u0026nbsp;allows local users to crash\u0026nbsp;OpenSMTPD.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.\u003c/div\u003e"
                }
              ],
              "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD\u00a0allows local users to crash\u00a0OpenSMTPD.\n\n\n\n\nThis issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-20T16:02:11.542Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62875"
            },
            {
              "url": "https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Local DoS in OpenSMTPD via UNIX domain socket smtpd.sock",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-62875",
        "datePublished": "2025-11-20T16:02:11.542Z",
        "dateReserved": "2025-10-24T10:34:22.764Z",
        "dateUpdated": "2025-11-21T16:28:18.612Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53882 (GCVE-0-2025-53882)

    Vulnerability from cvelistv5 – Published: 2025-07-23 09:31 – Updated: 2026-02-26 17:50
    VLAI
    Title
    The logrotate configuration in the python-mailman of openSUSE allows the mailman user to sent SIGHUP to arbitrary proceess
    Summary
    A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes. This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 3.3.10-2.1 (custom)
    Create a notification for this product.
    Date Public
    2025-07-15 10:33
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53882",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-29T03:55:20.012924Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:50:17.345Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "mailman3",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "3.3.10-2.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2025-07-15T10:33:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes.\u0026nbsp;\u003cp\u003eThis issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.\u003c/p\u003e"
                }
              ],
              "value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes.\u00a0This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T07:23:06.351Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53882"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "The logrotate configuration in the python-mailman of openSUSE allows the mailman user to sent SIGHUP to arbitrary proceess",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-53882",
        "datePublished": "2025-07-23T09:31:18.547Z",
        "dateReserved": "2025-07-11T10:53:52.681Z",
        "dateUpdated": "2026-02-26T17:50:17.345Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-23394 (GCVE-0-2025-23394)

    Vulnerability from cvelistv5 – Published: 2025-05-26 15:34 – Updated: 2025-05-27 14:05
    VLAI
    Title
    daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root
    Summary
    A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 3.8.4-2.1 (custom)
    Create a notification for this product.
    Date Public
    2025-04-29 08:20
    Credits
    Matthias Gerstner, SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-27T14:04:35.779860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-27T14:05:20.489Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "cyrus-imapd",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "3.8.4-2.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthias Gerstner, SUSE"
            }
          ],
          "datePublic": "2025-04-29T08:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.\u003cp\u003eThis issue affects openSUSE Tumbleweed  cyrus-imapd before 3.8.4-2.1.\u003c/p\u003e"
                }
              ],
              "value": "A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed  cyrus-imapd before 3.8.4-2.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-26T15:34:32.562Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-23394",
        "datePublished": "2025-05-26T15:34:32.562Z",
        "dateReserved": "2025-01-15T12:39:03.324Z",
        "dateUpdated": "2025-05-27T14:05:20.489Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-23386 (GCVE-0-2025-23386)

    Vulnerability from cvelistv5 – Published: 2025-04-10 09:42 – Updated: 2025-04-10 14:22
    VLAI
    Title
    gerbera: Privilege escalation from user gerbera to root because of insecure %post script
    Summary
    A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 2.5.0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2025-01-21 15:59
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-23386",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T13:59:12.257573Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T14:22:23.310Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "gerbera",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "2.5.0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2025-01-21T15:59:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,\u003cp\u003eThis issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.\u003c/p\u003e"
                }
              ],
              "value": "A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-10T09:42:18.391Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23386"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "gerbera: Privilege escalation from user gerbera to root because of insecure %post script",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2025-23386",
        "datePublished": "2025-04-10T09:42:18.391Z",
        "dateReserved": "2025-01-15T12:39:03.323Z",
        "dateUpdated": "2025-04-10T14:22:23.310Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-49504 (GCVE-0-2024-49504)

    Vulnerability from cvelistv5 – Published: 2024-11-13 14:44 – Updated: 2024-11-13 18:32
    VLAI
    Title
    grub2 allows bypassing TPM-bound disk encryption on SL(E)M encrypted Images
    Summary
    grub2 allowed attackers with access to the grub shell to access files on the encrypted disks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 2.12-28.1 (custom)
    Create a notification for this product.
    suse opensuse_tumbleweed Affected: 0 , < 2.12-28.1 (custom)
        cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Fabian Vogt of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "opensuse_tumbleweed",
                "vendor": "suse",
                "versions": [
                  {
                    "lessThan": "2.12-28.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49504",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T18:31:10.396372Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T18:32:06.515Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "grub2",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "2.12-28.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fabian Vogt of SUSE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "grub2 allowed attackers with access to the grub shell to access files on the encrypted disks.\u003cbr\u003e"
                }
              ],
              "value": "grub2 allowed attackers with access to the grub shell to access files on the encrypted disks."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T14:44:23.659Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-49504"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "grub2 allows bypassing TPM-bound disk encryption on SL(E)M encrypted Images",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-49504",
        "datePublished": "2024-11-13T14:44:23.659Z",
        "dateReserved": "2024-10-15T13:20:07.748Z",
        "dateUpdated": "2024-11-13T18:32:06.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-22034 (GCVE-0-2024-22034)

    Vulnerability from cvelistv5 – Published: 2024-10-16 13:46 – Updated: 2024-10-31 13:34
    VLAI
    Title
    Crafted projects can overwrite special files in the .osc config directory
    Summary
    Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    SUSE SUSE Linux Enterprise Desktop 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Development Tools 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Desktop 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Development Tools 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 12 SP5 Affected: ? , < 0.183.0-15.18.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 12 SP5 Affected: ? , < 0.183.0-15.18.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Software Development Kit 12 SP5 Affected: ? , < 0.183.0-15.18.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.5 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.6 Affected: ? , < 1.9.0-150400.10.6.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Tumbleweed Affected: ? , < 1.9.0-1.1 (custom)
    Create a notification for this product.
    Date Public
    2024-08-19 11:42
    Credits
    Daniel Mach of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22034",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:01:15.655473Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-31T13:34:34.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Desktop 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Desktop 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Module for Development Tools 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server 12 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.183.0-15.18.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.183.0-15.18.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "SUSE Linux Enterprise Software Development Kit 12 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.183.0-15.18.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "openSUSE Leap 15.5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "openSUSE Leap 15.6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-150400.10.6.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "osc",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "1.9.0-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Mach of SUSE"
            }
          ],
          "datePublic": "2024-08-19T11:42:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim\u003cbr\u003e"
                }
              ],
              "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T13:46:08.416Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Crafted projects can overwrite special files in the .osc config directory",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-22034",
        "datePublished": "2024-10-16T13:46:08.416Z",
        "dateReserved": "2024-01-04T12:38:34.024Z",
        "dateUpdated": "2024-10-31T13:34:34.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-22033 (GCVE-0-2024-22033)

    Vulnerability from cvelistv5 – Published: 2024-10-16 13:42 – Updated: 2024-10-16 14:07
    VLAI
    Title
    obs-service-download_url is vulnerable to argument injection
    Summary
    The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    SUSE SUSE Package Hub 15 SP5 Affected: ? , < 0.2.1-bp155.3.3.1 (custom)
    Create a notification for this product.
    SUSE SUSE Package Hub 15 SP6 Affected: ? , < 0.2.1-bp156.2.3.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.5 Affected: ? , < 0.2.1-bp155.3.3.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.6 Affected: ? , < 0.2.1-bp156.2.3.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Tumbleweed Affected: ? , < 0.2.1-1.1 (custom)
    Create a notification for this product.
    Date Public
    2024-07-11 14:21
    Credits
    Maxime Rinaudo
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22033",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:07:38.141746Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T14:07:57.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "SUSE Package Hub 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp155.3.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "SUSE Package Hub 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp156.2.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "openSUSE Leap 15.5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp155.3.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "openSUSE Leap 15.6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-bp156.2.3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "obs-service-download_url",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.2.1-1.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Maxime Rinaudo"
            }
          ],
          "datePublic": "2024-07-11T14:21:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps\u003cbr\u003e"
                }
              ],
              "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T13:42:46.559Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "obs-service-download_url is vulnerable to argument injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-22033",
        "datePublished": "2024-10-16T13:42:46.559Z",
        "dateReserved": "2024-01-04T12:38:34.024Z",
        "dateUpdated": "2024-10-16T14:07:57.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-22029 (GCVE-0-2024-22029)

    Vulnerability from cvelistv5 – Published: 2024-10-16 13:20 – Updated: 2025-08-26 20:18
    VLAI
    Title
    tomcat packaging allows for escalation to root from tomcat user
    Summary
    Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    SUSE Container suse/manager/5.0/x86_64/server:5.0.0-beta1.2.122 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Enterprise Storage 7.1 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise High Performance Computing 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Module for Web and Scripting 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP6 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP2-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP3-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 SP4-LTSS Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP2 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP3 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server for SAP Applications 15 SP4 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE SUSE Manager Server 4.3 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Leap 15.5 Affected: ? , < 9.0.85-150200.57.1 (custom)
    Create a notification for this product.
    SUSE openSUSE Tumbleweed Affected: ? , < 9.0.85-3.1 (custom)
    Create a notification for this product.
    Date Public
    2024-02-14 14:59
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22029",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T14:33:12.827088Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-26T20:18:11.916Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "Container suse/manager/5.0/x86_64/server:5.0.0-beta1.2.122",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Enterprise Storage 7.1",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise High Performance Computing 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP2-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP3-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server 15 SP4-LTSS",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "SUSE Manager Server 4.3",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "openSUSE Leap 15.5",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-150200.57.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "packageName": "tomcat",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "9.0.85-3.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz of SUSE"
            }
          ],
          "datePublic": "2024-02-14T14:59:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T13:20:47.698Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22029"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "tomcat packaging allows for escalation to root from tomcat user",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2024-22029",
        "datePublished": "2024-10-16T13:20:47.698Z",
        "dateReserved": "2024-01-04T12:38:34.023Z",
        "dateUpdated": "2025-08-26T20:18:11.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32190 (GCVE-0-2023-32190)

    Vulnerability from cvelistv5 – Published: 2024-10-16 12:03 – Updated: 2025-03-19 14:39
    VLAI
    Title
    mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable
    Summary
    mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    SUSE openSUSE Tumbleweed Affected: ? , < 0.26-37.1 (custom)
    Create a notification for this product.
    suse opensuse_tumbleweed Affected: 0 , < 0.26-37.1 (custom)
        cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-25 15:19
    Credits
    Johannes Segitz of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:suse:opensuse_tumbleweed:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "opensuse_tumbleweed",
                "vendor": "suse",
                "versions": [
                  {
                    "lessThan": "0.26-37.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32190",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:58:57.464292Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-125",
                    "description": "CWE-125 Out-of-bounds Read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T14:39:07.458Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "mlocate",
              "product": "openSUSE Tumbleweed",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThan": "0.26-37.1",
                  "status": "affected",
                  "version": "?",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Johannes Segitz  of SUSE"
            }
          ],
          "datePublic": "2024-01-25T15:19:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "mlocate\u0027s %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "mlocate\u0027s %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-16T12:03:05.078Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "mlocate\u0027s %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2023-32190",
        "datePublished": "2024-10-16T12:03:05.078Z",
        "dateReserved": "2023-05-04T08:30:59.321Z",
        "dateUpdated": "2025-03-19T14:39:07.458Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }