Vulnerability-Lookup

CVE-2023-25173 (GCVE-0-2023-25173)

Vulnerability from cvelistv5 – Published: 2023-02-16 14:09 – Updated: 2025-03-10 21:10

Title

containerd supplementary groups are not set up properly

Summary

containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

12 references

URL	Tags
https://github.com/containerd/containerd/security…	x_refsource_CONFIRM
https://github.com/moby/moby/security/advisories/…	x_refsource_MISC
https://github.com/containerd/containerd/commit/1…	x_refsource_MISC
https://github.com/advisories/GHSA-4wjj-jwc9-2x96	x_refsource_MISC
https://github.com/advisories/GHSA-fjm8-m7m6-2fjp	x_refsource_MISC
https://github.com/advisories/GHSA-phjr-8j92-w5v7	x_refsource_MISC
https://github.com/containerd/containerd/releases…	x_refsource_MISC
https://github.com/containerd/containerd/releases…	x_refsource_MISC
https://www.benthamsgaze.org/2022/08/22/vulnerabi…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…
https://lists.fedoraproject.org/archives/list/pac…
https://lists.fedoraproject.org/archives/list/pac…

Impacted products

1 product

Vendor	Product	Version
containerd	containerd	Affected: < 1.5.18 Affected: >= 1.6.0, < 1.6.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:18:35.671Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
          },
          {
            "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
          },
          {
            "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
          },
          {
            "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
          },
          {
            "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
          },
          {
            "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
          },
          {
            "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
          },
          {
            "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
          },
          {
            "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25173",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T21:00:44.060345Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:10:38.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.18"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.6.0, \u003c 1.6.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-15T20:06:31.329Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
        },
        {
          "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
        },
        {
          "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
        },
        {
          "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
        },
        {
          "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
        },
        {
          "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
        },
        {
          "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
        },
        {
          "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
        },
        {
          "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
        }
      ],
      "source": {
        "advisory": "GHSA-hmfx-3pcx-653p",
        "discovery": "UNKNOWN"
      },
      "title": "containerd supplementary groups are not set up properly"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-25173",
    "datePublished": "2023-02-16T14:09:12.073Z",
    "dateReserved": "2023-02-03T16:59:18.247Z",
    "dateUpdated": "2025-03-10T21:10:38.648Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-25173",
      "date": "2026-06-22",
      "epss": "0.00542",
      "percentile": "0.41158"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-25173\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-16T15:15:20.057\",\"lastModified\":\"2024-11-21T07:49:15.083\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\\n\\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\\\"USER $USERNAME\\\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\\\"su\\\", \\\"-\\\", \\\"user\\\"]` to allow `su` to properly set up supplementary groups.\"},{\"lang\":\"es\",\"value\":\"Containerd es contenedor de c\u00f3digo abierto en tiempo de ejecuci\u00f3n. Se encontr\u00f3 un error en Containerd antes de las versiones 1.6.18 y 1.5.18 donde los grupos suplementarios no est\u00e1n configurados correctamente dentro de un contenedor. Si un atacante tiene acceso directo a un contenedor y manipula su acceso de grupo suplementario, es posible que pueda utilizar el acceso de grupo suplementario para eludir las restricciones del grupo primario en algunos casos, obteniendo potencialmente acceso a informaci\u00f3n confidencial o obteniendo la capacidad de ejecutar c\u00f3digo en ese contenedor. Las aplicaciones posteriores que utilizan la librer\u00eda cliente en containerd tambi\u00e9n pueden verse afectadas. Este error se ha solucionado en Containerd v1.6.18 y v.1.5.18. Los usuarios deben actualizar a estas versiones y volver a crear containers para resolver este problema. Los usuarios que dependen de una aplicaci\u00f3n posterior que utiliza la librer\u00eda cliente de Containerd deben verificar esa aplicaci\u00f3n para obtener avisos e instrucciones por separado. Como workaround, aseg\u00farese de que no se utilice la instrucci\u00f3n de Dockerfile `\\\"USER $USERNAME\\\"`. En su lugar, establezca el punto de entrada del contenedor en un valor similar a `ENTRYPOINT [\\\"su\\\", \\\"-\\\", \\\"user\\\"]` para permitir que `su` configure correctamente grupos suplementarios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.5.18\",\"matchCriteriaId\":\"4C98A2DA-3CDD-4438-AECC-DDDA67E61935\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.6.0\",\"versionEndExcluding\":\"1.6.18\",\"matchCriteriaId\":\"BDD5FC3E-BEEB-4CAA-845E-3BADF39E46B2\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-4wjj-jwc9-2x96\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/advisories/GHSA-fjm8-m7m6-2fjp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/advisories/GHSA-phjr-8j92-w5v7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.5.18\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.6.18\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-4wjj-jwc9-2x96\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/advisories/GHSA-fjm8-m7m6-2fjp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/advisories/GHSA-phjr-8j92-w5v7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.5.18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.6.18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"containerd supplementary groups are not set up properly\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-863\", \"lang\": \"en\", \"description\": \"CWE-863: Incorrect Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"LOW\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p\"}, {\"name\": \"https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4\"}, {\"name\": \"https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a\"}, {\"name\": \"https://github.com/advisories/GHSA-4wjj-jwc9-2x96\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/advisories/GHSA-4wjj-jwc9-2x96\"}, {\"name\": \"https://github.com/advisories/GHSA-fjm8-m7m6-2fjp\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/advisories/GHSA-fjm8-m7m6-2fjp\"}, {\"name\": \"https://github.com/advisories/GHSA-phjr-8j92-w5v7\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/advisories/GHSA-phjr-8j92-w5v7\"}, {\"name\": \"https://github.com/containerd/containerd/releases/tag/v1.5.18\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/containerd/containerd/releases/tag/v1.5.18\"}, {\"name\": \"https://github.com/containerd/containerd/releases/tag/v1.6.18\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/containerd/containerd/releases/tag/v1.6.18\"}, {\"name\": \"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/\"}], \"affected\": [{\"vendor\": \"containerd\", \"product\": \"containerd\", \"versions\": [{\"version\": \"\u003c 1.5.18\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.6.0, \u003c 1.6.18\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-15T20:06:31.329Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\\n\\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\\\"USER $USERNAME\\\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\\\"su\\\", \\\"-\\\", \\\"user\\\"]` to allow `su` to properly set up supplementary groups.\"}], \"source\": {\"advisory\": \"GHSA-hmfx-3pcx-653p\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:18:35.671Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p\"}, {\"name\": \"https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4\"}, {\"name\": \"https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a\"}, {\"name\": \"https://github.com/advisories/GHSA-4wjj-jwc9-2x96\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/advisories/GHSA-4wjj-jwc9-2x96\"}, {\"name\": \"https://github.com/advisories/GHSA-fjm8-m7m6-2fjp\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/advisories/GHSA-fjm8-m7m6-2fjp\"}, {\"name\": \"https://github.com/advisories/GHSA-phjr-8j92-w5v7\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/advisories/GHSA-phjr-8j92-w5v7\"}, {\"name\": \"https://github.com/containerd/containerd/releases/tag/v1.5.18\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/containerd/containerd/releases/tag/v1.5.18\"}, {\"name\": \"https://github.com/containerd/containerd/releases/tag/v1.6.18\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/containerd/containerd/releases/tag/v1.6.18\"}, {\"name\": \"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-25173\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:00:44.060345Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:00:45.592Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-25173\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-02-03T16:59:18.247Z\", \"datePublished\": \"2023-02-16T14:09:12.073Z\", \"dateUpdated\": \"2025-03-10T21:10:38.648Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2026-AVI-0131

Vulnerability from certfr_avis - Published: 2026-02-06 - Updated: 2026-02-06

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Cloud Pak System	Cloud Pak System versions 2.3.4.x et postérieures, antérieures à 2.3.6.1
IBM	Cognos Analytics	Cognos Command Center versions 10.2.4.x et 10.2.5.x antérieures à 10.2.5 FP1 IF2
IBM	Db2	DB2 sans le correctif de sécurité 11.5.9 Special Build 62071
IBM	Db2	DB2 Data Management Console antérieures à 3.1.13.1
IBM	Db2	DB2 Data Management Console on CPD versions antérieurs à 4.8
IBM	Db2	DB2 Recovery Expert for LUW version 5.5 IF2 sans le correctif de sécurité v5.5.0.1 Interim Fix 8

References

Title

Publication Time

CERTFR-2026-AVI-0199

Vulnerability from certfr_avis - Published: 2026-02-24 - Updated: 2026-02-24

De multiples vulnérabilités ont été découvertes dans les produits VMware. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Telco Cloud Platform	Telco Cloud Platform versions 4.x et 5.x sans le correctif de sécurité KB428241
VMware	Tanzu Data Services	Tanzu Data Flow versions antérieures à 2.0.2 sur Tanzu Platform
VMware	Azure Spring Enterprise	Harbor Registry versions antérieures à 2.14.2
VMware	Tanzu Data Intelligence	Tanzu pour MySQL versions 2.0.0 sur Kubernetes
VMware	Cloud Foundation	Cloud Foundation versions 9.x antérieures à 9.0.2.0
VMware	Tanzu Kubernetes Runtime	App Metrics versions antérieures à2.3.3
VMware	Tanzu Data Intelligence	Tanzu GemFire versions antérieures à 2.6.1 sur Kubernetes
VMware	Tanzu Kubernetes Runtime	CredHub Secrets Management pour Tanzu Platform versions antérieures à 1.6.8
VMware	Tanzu Data Intelligence	Tanzu pour Valkey version 3.3.1 sur Kubernetes
VMware	Tanzu Operations Manager	Foundation Core pour Tanzu Platform versions antérieures à 3.2.4
VMware	Aria Operations	Aria Operations versions 8.x antérieures à 8.18.6
VMware	Tanzu Kubernetes Runtime	cf-mgmt pour Tanzu Platform versions antérieures à 1.0.108
VMware	Tanzu Data Intelligence	Tanzu pour Valkey version 9.0.1
VMware	Tanzu Kubernetes Runtime	Extended App Support pour Tanzu Platform versions antérieures à 1.0.15
VMware	Tanzu Data Intelligence	Tanzu GemFire Management versions antérieures à 1.4.3
VMware	Tanzu Kubernetes Runtime	NodeJS Buildpack versions antérieures à 1.8.77
VMware	Tanzu Kubernetes Runtime	Cloud Native Buildpacks pour Tanzu Platform versions antérieures à 0.6.5
VMware	Cloud Foundation	Cloud Foundation versions 4.x et 5.x sans le correctif de sécurité KB92148
VMware	Tanzu Kubernetes Runtime	AI Services pour Tanzu Platform versions antérieures à 10.3.4
VMware	Tanzu Kubernetes Runtime	Java Buildpack versions antérieures à 4.89.0
VMware	Telco Cloud Infrastructure	Telco Cloud Infrastructure versions 2.x et 3.x sans le correctif de sécurité KB428241
VMware	Tanzu Kubernetes Runtime	Elastic Application Runtime pour Tanzu Platform versions antérieures à 6.0.25+LTS-T, 10.2.8+LTS-T et 10.3.5

References

Title

Publication Time

FKIE_CVE-2023-25173

Vulnerability from fkie_nvd - Published: 2023-02-16 15:15 - Updated: 2026-06-17 05:40

Severity

5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/advisories/GHSA-4wjj-jwc9-2x96	Not Applicable
security-advisories@github.com	https://github.com/advisories/GHSA-fjm8-m7m6-2fjp	Not Applicable
security-advisories@github.com	https://github.com/advisories/GHSA-phjr-8j92-w5v7	Not Applicable
security-advisories@github.com	https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a	Patch
security-advisories@github.com	https://github.com/containerd/containerd/releases/tag/v1.5.18	Release Notes
security-advisories@github.com	https://github.com/containerd/containerd/releases/tag/v1.6.18	Release Notes
security-advisories@github.com	https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p	Mitigation, Vendor Advisory
security-advisories@github.com	https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4	Not Applicable
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
security-advisories@github.com	https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-4wjj-jwc9-2x96	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-fjm8-m7m6-2fjp	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-phjr-8j92-w5v7	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/containerd/containerd/releases/tag/v1.5.18	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/containerd/containerd/releases/tag/v1.6.18	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
af854a3a-2127-422b-91ae-364da2661108	https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	linuxfoundation	containerd	*
	linuxfoundation	containerd	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.18"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.6.0, \u003c 1.6.18"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C98A2DA-3CDD-4438-AECC-DDDA67E61935",
              "versionEndExcluding": "1.5.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDD5FC3E-BEEB-4CAA-845E-3BADF39E46B2",
              "versionEndExcluding": "1.6.18",
              "versionStartIncluding": "1.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups."
    },
    {
      "lang": "es",
      "value": "Containerd es contenedor de c\u00f3digo abierto en tiempo de ejecuci\u00f3n. Se encontr\u00f3 un error en Containerd antes de las versiones 1.6.18 y 1.5.18 donde los grupos suplementarios no est\u00e1n configurados correctamente dentro de un contenedor. Si un atacante tiene acceso directo a un contenedor y manipula su acceso de grupo suplementario, es posible que pueda utilizar el acceso de grupo suplementario para eludir las restricciones del grupo primario en algunos casos, obteniendo potencialmente acceso a informaci\u00f3n confidencial o obteniendo la capacidad de ejecutar c\u00f3digo en ese contenedor. Las aplicaciones posteriores que utilizan la librer\u00eda cliente en containerd tambi\u00e9n pueden verse afectadas. Este error se ha solucionado en Containerd v1.6.18 y v.1.5.18. Los usuarios deben actualizar a estas versiones y volver a crear containers para resolver este problema. Los usuarios que dependen de una aplicaci\u00f3n posterior que utiliza la librer\u00eda cliente de Containerd deben verificar esa aplicaci\u00f3n para obtener avisos e instrucciones por separado. Como workaround, aseg\u00farese de que no se utilice la instrucci\u00f3n de Dockerfile `\"USER $USERNAME\"`. En su lugar, establezca el punto de entrada del contenedor en un valor similar a `ENTRYPOINT [\"su\", \"-\", \"user\"]` para permitir que `su` configure correctamente grupos suplementarios."
    }
  ],
  "id": "CVE-2023-25173",
  "lastModified": "2026-06-17T05:40:50.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2023-25173",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2025-03-10T21:00:44.060345Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2023-02-16T15:15:20.057",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-HMFX-3PCX-653P

Vulnerability from github – Published: 2023-02-16 14:11 – Updated: 2024-09-06 21:37

Summary

Supplementary groups are not set up properly in github.com/containerd/containerd

Details

Impact

A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.

Downstream applications that use the containerd client library may be affected as well.

Patches

This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.

Workarounds

Ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups.

References

https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18
CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0
Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0
Buildah: CVE-2022-2990, fixed in Buildah 1.27.1

Note that CVE IDs apply to a particular implementation, even if an issue is common.

For more information

If you have any questions or comments about this advisory:

Open an issue in containerd
Email us at security@containerd.io

To report a security issue in containerd: * Report a new vulnerability * Email us at security@containerd.io

Severity

5.3 (Medium)


                  
                    CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containerd/containerd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-16T14:11:33Z",
    "nvd_published_at": "2023-02-16T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA bug was found in containerd where supplementary groups are not set up properly inside a container.  If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.\n\nDownstream applications that use the containerd client library may be affected as well.\n\n### Patches\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18.  Users should update to these versions and recreate containers to resolve this issue.  Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions.\n\n### Workarounds\n\nEnsure that the `\"USER $USERNAME\"` Dockerfile instruction is not used.  Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.\n\n### References\n\n- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/\n- Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18\n- CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0\n- Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0\n- Buildah: CVE-2022-2990, fixed in Buildah 1.27.1\n\nNote that CVE IDs apply to a particular implementation, even if an issue is common.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at [security@containerd.io](mailto:security@containerd.io)\n\nTo report a security issue in containerd:\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)\n* Email us at [security@containerd.io](mailto:security@containerd.io)",
  "id": "GHSA-hmfx-3pcx-653p",
  "modified": "2024-09-06T21:37:04Z",
  "published": "2023-02-16T14:11:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containerd/containerd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2023-1574"
    },
    {
      "type": "WEB",
      "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Supplementary groups are not set up properly in github.com/containerd/containerd"
}

GSD-2023-25173

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-25173

Aliases

CVE-2023-25173

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-25173",
    "id": "GSD-2023-25173",
    "references": [
      "https://www.suse.com/security/cve/CVE-2023-25173.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-25173"
      ],
      "details": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.",
      "id": "GSD-2023-25173",
      "modified": "2023-12-13T01:20:40.539673Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-25173",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "containerd",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.5.18"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.6.0, \u003c 1.6.18"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "containerd"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
            "refsource": "MISC",
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
          },
          {
            "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
            "refsource": "MISC",
            "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
          },
          {
            "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
            "refsource": "MISC",
            "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
          },
          {
            "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
          },
          {
            "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
          },
          {
            "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
          },
          {
            "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
            "refsource": "MISC",
            "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
          },
          {
            "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
            "refsource": "MISC",
            "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
          },
          {
            "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
            "refsource": "MISC",
            "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-hmfx-3pcx-653p",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv1.5.18 || \u003e=v1.6.0 \u003cv1.6.18",
          "affected_versions": "All versions before v1.5.18, all versions starting from v1.6.0 before v1.6.18",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-863",
            "CWE-937"
          ],
          "date": "2023-02-24",
          "description": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.",
          "fixed_versions": [
            "v1.5.18",
            "v1.6.18"
          ],
          "identifier": "CVE-2023-25173",
          "identifiers": [
            "CVE-2023-25173",
            "GHSA-hmfx-3pcx-653p"
          ],
          "not_impacted": "All versions starting from v1.5.18 before v1.6.0, all versions starting from v1.6.18",
          "package_slug": "go/github.com/containerd/containerd",
          "pubdate": "2023-02-16",
          "solution": "Upgrade to versions 1.5.18, 1.6.18 or above.",
          "title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "urls": [
            "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
            "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-25173",
            "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
            "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
            "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
            "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
            "https://github.com/containerd/containerd/releases/tag/v1.5.18",
            "https://github.com/containerd/containerd/releases/tag/v1.6.18",
            "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
            "https://github.com/advisories/GHSA-hmfx-3pcx-653p"
          ],
          "uuid": "10a9981d-0c93-4afe-be8d-dbd260b03d8a",
          "versions": [
            {
              "commit": {
                "sha": "13a9d2087b04c1a99ba3fb3159fbd6b2493ca6dd",
                "tags": [
                  "v1.6.0"
                ],
                "timestamp": "20220216014847"
              },
              "number": "v1.6.0"
            },
            {
              "commit": {
                "sha": "21d8aa8ea950620842dc73fe22bbec3dc6c4cb27",
                "tags": [
                  "v1.5.18"
                ],
                "timestamp": "20230215224052"
              },
              "number": "v1.5.18"
            },
            {
              "commit": {
                "sha": "204e30211cba2e8cdb7ae617879898e51bbba8bc",
                "tags": [
                  "v1.6.18"
                ],
                "timestamp": "20230215225028"
              },
              "number": "v1.6.18"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.5.18",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.6.18",
                "versionStartIncluding": "1.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-25173"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/advisories/GHSA-phjr-8j92-w5v7",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://github.com/advisories/GHSA-phjr-8j92-w5v7"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
            },
            {
              "name": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://github.com/advisories/GHSA-4wjj-jwc9-2x96"
            },
            {
              "name": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
            },
            {
              "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4"
            },
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
            },
            {
              "name": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://github.com/advisories/GHSA-fjm8-m7m6-2fjp"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-09-15T21:15Z",
      "publishedDate": "2023-02-16T15:15Z"
    }
  }
}

MSRC_CVE-2023-25173

Vulnerability from csaf_microsoft - Published: 2023-02-01 00:00 - Updated: 2023-03-20 00:00

Summary

containerd supplementary groups are not set up properly

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-25173

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-863 - Incorrect Authorization

Affected products

Fixed 3 products

Product	Identifier	Version	Remediation
Unresolved product id: 17960-16820		—
Unresolved product id: 17961-17086		—
Unresolved product id: 17965-17086		—

Known affected 3 products

Product	Version	Remediation
Unresolved product id: 16820-3	—	Vendor Fix fix
Unresolved product id: 17086-2	—	Vendor Fix fix
Unresolved product id: 17086-1	—	Vendor Fix fix

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2023/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2023/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2023-25173 containerd supplementary groups are not set up properly - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-25173.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "containerd supplementary groups are not set up properly",
    "tracking": {
      "current_release_date": "2023-03-20T00:00:00.000Z",
      "generator": {
        "date": "2025-12-06T21:45:58.608Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2023-25173",
      "initial_release_date": "2023-02-01T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-02-20T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2023-02-25T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added moby-containerd to CBL-Mariner 2.0"
        },
        {
          "date": "2023-03-20T00:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 moby-containerd 1.6.6+azure-9",
                "product": {
                  "name": "\u003ccm1 moby-containerd 1.6.6+azure-9",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 moby-containerd 1.6.6+azure-9",
                "product": {
                  "name": "cm1 moby-containerd 1.6.6+azure-9",
                  "product_id": "17960"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 moby-containerd 1.6.18-2",
                "product": {
                  "name": "\u003ccbl2 moby-containerd 1.6.18-2",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 moby-containerd 1.6.18-2",
                "product": {
                  "name": "cbl2 moby-containerd 1.6.18-2",
                  "product_id": "17961"
                }
              }
            ],
            "category": "product_name",
            "name": "moby-containerd"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 k3s 1.24.12-2",
                "product": {
                  "name": "\u003ccbl2 k3s 1.24.12-2",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 k3s 1.24.12-2",
                "product": {
                  "name": "cbl2 k3s 1.24.12-2",
                  "product_id": "17965"
                }
              }
            ],
            "category": "product_name",
            "name": "k3s"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 moby-containerd 1.6.6+azure-9 as a component of CBL Mariner 1.0",
          "product_id": "16820-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 moby-containerd 1.6.6+azure-9 as a component of CBL Mariner 1.0",
          "product_id": "17960-16820"
        },
        "product_reference": "17960",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 moby-containerd 1.6.18-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 moby-containerd 1.6.18-2 as a component of CBL Mariner 2.0",
          "product_id": "17961-17086"
        },
        "product_reference": "17961",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 k3s 1.24.12-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 k3s 1.24.12-2 as a component of CBL Mariner 2.0",
          "product_id": "17965-17086"
        },
        "product_reference": "17965",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25173",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "17960-16820",
          "17961-17086",
          "17965-17086"
        ],
        "known_affected": [
          "16820-3",
          "17086-2",
          "17086-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-25173 containerd supplementary groups are not set up properly - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-25173.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-02-20T00:00:00.000Z",
          "details": "1.6.6+azure-9:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-02-20T00:00:00.000Z",
          "details": "1.6.18-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-02-20T00:00:00.000Z",
          "details": "1.24.12-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "16820-3",
            "17086-2",
            "17086-1"
          ]
        }
      ],
      "title": "containerd supplementary groups are not set up properly"
    }
  ]
}

OPENSUSE-SU-2024:12822-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

containerd-1.6.19-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: containerd-1.6.19-1.1 on GA media

Description of the patch: These are all security issues fixed in the containerd-1.6.19-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12822

CVE-2023-25153

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2023-25173

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

9 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2023-25153/	self
https://www.suse.com/security/cve/CVE-2023-25173/	self
https://www.suse.com/security/cve/CVE-2023-25153	external
https://bugzilla.suse.com/1208423	external
https://www.suse.com/security/cve/CVE-2023-25173	external
https://bugzilla.suse.com/1208426	external
https://bugzilla.suse.com/1215588	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "containerd-1.6.19-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the containerd-1.6.19-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12822",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12822-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-25153 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-25153/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-25173 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-25173/"
      }
    ],
    "title": "containerd-1.6.19-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12822-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.6.19-1.1.aarch64",
                "product": {
                  "name": "containerd-1.6.19-1.1.aarch64",
                  "product_id": "containerd-1.6.19-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-ctr-1.6.19-1.1.aarch64",
                "product": {
                  "name": "containerd-ctr-1.6.19-1.1.aarch64",
                  "product_id": "containerd-ctr-1.6.19-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-devel-1.6.19-1.1.aarch64",
                "product": {
                  "name": "containerd-devel-1.6.19-1.1.aarch64",
                  "product_id": "containerd-devel-1.6.19-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.6.19-1.1.ppc64le",
                "product": {
                  "name": "containerd-1.6.19-1.1.ppc64le",
                  "product_id": "containerd-1.6.19-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-ctr-1.6.19-1.1.ppc64le",
                "product": {
                  "name": "containerd-ctr-1.6.19-1.1.ppc64le",
                  "product_id": "containerd-ctr-1.6.19-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-devel-1.6.19-1.1.ppc64le",
                "product": {
                  "name": "containerd-devel-1.6.19-1.1.ppc64le",
                  "product_id": "containerd-devel-1.6.19-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.6.19-1.1.s390x",
                "product": {
                  "name": "containerd-1.6.19-1.1.s390x",
                  "product_id": "containerd-1.6.19-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-ctr-1.6.19-1.1.s390x",
                "product": {
                  "name": "containerd-ctr-1.6.19-1.1.s390x",
                  "product_id": "containerd-ctr-1.6.19-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-devel-1.6.19-1.1.s390x",
                "product": {
                  "name": "containerd-devel-1.6.19-1.1.s390x",
                  "product_id": "containerd-devel-1.6.19-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.6.19-1.1.x86_64",
                "product": {
                  "name": "containerd-1.6.19-1.1.x86_64",
                  "product_id": "containerd-1.6.19-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-ctr-1.6.19-1.1.x86_64",
                "product": {
                  "name": "containerd-ctr-1.6.19-1.1.x86_64",
                  "product_id": "containerd-ctr-1.6.19-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "containerd-devel-1.6.19-1.1.x86_64",
                "product": {
                  "name": "containerd-devel-1.6.19-1.1.x86_64",
                  "product_id": "containerd-devel-1.6.19-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.6.19-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64"
        },
        "product_reference": "containerd-1.6.19-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.6.19-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le"
        },
        "product_reference": "containerd-1.6.19-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.6.19-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x"
        },
        "product_reference": "containerd-1.6.19-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.6.19-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64"
        },
        "product_reference": "containerd-1.6.19-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-ctr-1.6.19-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64"
        },
        "product_reference": "containerd-ctr-1.6.19-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-ctr-1.6.19-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le"
        },
        "product_reference": "containerd-ctr-1.6.19-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-ctr-1.6.19-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x"
        },
        "product_reference": "containerd-ctr-1.6.19-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-ctr-1.6.19-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64"
        },
        "product_reference": "containerd-ctr-1.6.19-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-devel-1.6.19-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64"
        },
        "product_reference": "containerd-devel-1.6.19-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-devel-1.6.19-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le"
        },
        "product_reference": "containerd-devel-1.6.19-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-devel-1.6.19-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x"
        },
        "product_reference": "containerd-devel-1.6.19-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-devel-1.6.19-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
        },
        "product_reference": "containerd-devel-1.6.19-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25153",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-25153"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18.  Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64",
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le",
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x",
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-25153",
          "url": "https://www.suse.com/security/cve/CVE-2023-25153"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208423 for CVE-2023-25153",
          "url": "https://bugzilla.suse.com/1208423"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-25153"
    },
    {
      "cve": "CVE-2023-25173",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-25173"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64",
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le",
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x",
          "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x",
          "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x",
          "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-25173",
          "url": "https://www.suse.com/security/cve/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208426 for CVE-2023-25173",
          "url": "https://bugzilla.suse.com/1208426"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215588 for CVE-2023-25173",
          "url": "https://bugzilla.suse.com/1215588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-ctr-1.6.19-1.1.x86_64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.aarch64",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.ppc64le",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.s390x",
            "openSUSE Tumbleweed:containerd-devel-1.6.19-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-25173"
    }
  ]
}

OPENSUSE-SU-2024:13295-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

helm-3.13.0-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: helm-3.13.0-2.1 on GA media

Description of the patch: These are all security issues fixed in the helm-3.13.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13295

CVE-2023-25173

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm-3.13.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-3.13.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-3.13.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-3.13.0-2.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

6 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2023-25173/	self
https://www.suse.com/security/cve/CVE-2023-25173	external
https://bugzilla.suse.com/1208426	external
https://bugzilla.suse.com/1215588	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "helm-3.13.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the helm-3.13.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13295",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13295-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-25173 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-25173/"
      }
    ],
    "title": "helm-3.13.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13295-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm-3.13.0-2.1.aarch64",
                "product": {
                  "name": "helm-3.13.0-2.1.aarch64",
                  "product_id": "helm-3.13.0-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "helm-bash-completion-3.13.0-2.1.aarch64",
                "product": {
                  "name": "helm-bash-completion-3.13.0-2.1.aarch64",
                  "product_id": "helm-bash-completion-3.13.0-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "helm-fish-completion-3.13.0-2.1.aarch64",
                "product": {
                  "name": "helm-fish-completion-3.13.0-2.1.aarch64",
                  "product_id": "helm-fish-completion-3.13.0-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "helm-zsh-completion-3.13.0-2.1.aarch64",
                "product": {
                  "name": "helm-zsh-completion-3.13.0-2.1.aarch64",
                  "product_id": "helm-zsh-completion-3.13.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm-3.13.0-2.1.ppc64le",
                "product": {
                  "name": "helm-3.13.0-2.1.ppc64le",
                  "product_id": "helm-3.13.0-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "helm-bash-completion-3.13.0-2.1.ppc64le",
                "product": {
                  "name": "helm-bash-completion-3.13.0-2.1.ppc64le",
                  "product_id": "helm-bash-completion-3.13.0-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "helm-fish-completion-3.13.0-2.1.ppc64le",
                "product": {
                  "name": "helm-fish-completion-3.13.0-2.1.ppc64le",
                  "product_id": "helm-fish-completion-3.13.0-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "helm-zsh-completion-3.13.0-2.1.ppc64le",
                "product": {
                  "name": "helm-zsh-completion-3.13.0-2.1.ppc64le",
                  "product_id": "helm-zsh-completion-3.13.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm-3.13.0-2.1.s390x",
                "product": {
                  "name": "helm-3.13.0-2.1.s390x",
                  "product_id": "helm-3.13.0-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "helm-bash-completion-3.13.0-2.1.s390x",
                "product": {
                  "name": "helm-bash-completion-3.13.0-2.1.s390x",
                  "product_id": "helm-bash-completion-3.13.0-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "helm-fish-completion-3.13.0-2.1.s390x",
                "product": {
                  "name": "helm-fish-completion-3.13.0-2.1.s390x",
                  "product_id": "helm-fish-completion-3.13.0-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "helm-zsh-completion-3.13.0-2.1.s390x",
                "product": {
                  "name": "helm-zsh-completion-3.13.0-2.1.s390x",
                  "product_id": "helm-zsh-completion-3.13.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm-3.13.0-2.1.x86_64",
                "product": {
                  "name": "helm-3.13.0-2.1.x86_64",
                  "product_id": "helm-3.13.0-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "helm-bash-completion-3.13.0-2.1.x86_64",
                "product": {
                  "name": "helm-bash-completion-3.13.0-2.1.x86_64",
                  "product_id": "helm-bash-completion-3.13.0-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "helm-fish-completion-3.13.0-2.1.x86_64",
                "product": {
                  "name": "helm-fish-completion-3.13.0-2.1.x86_64",
                  "product_id": "helm-fish-completion-3.13.0-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "helm-zsh-completion-3.13.0-2.1.x86_64",
                "product": {
                  "name": "helm-zsh-completion-3.13.0-2.1.x86_64",
                  "product_id": "helm-zsh-completion-3.13.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-3.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-3.13.0-2.1.aarch64"
        },
        "product_reference": "helm-3.13.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-3.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-3.13.0-2.1.ppc64le"
        },
        "product_reference": "helm-3.13.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-3.13.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-3.13.0-2.1.s390x"
        },
        "product_reference": "helm-3.13.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-3.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-3.13.0-2.1.x86_64"
        },
        "product_reference": "helm-3.13.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-bash-completion-3.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.aarch64"
        },
        "product_reference": "helm-bash-completion-3.13.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-bash-completion-3.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.ppc64le"
        },
        "product_reference": "helm-bash-completion-3.13.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-bash-completion-3.13.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.s390x"
        },
        "product_reference": "helm-bash-completion-3.13.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-bash-completion-3.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.x86_64"
        },
        "product_reference": "helm-bash-completion-3.13.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-fish-completion-3.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.aarch64"
        },
        "product_reference": "helm-fish-completion-3.13.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-fish-completion-3.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.ppc64le"
        },
        "product_reference": "helm-fish-completion-3.13.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-fish-completion-3.13.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.s390x"
        },
        "product_reference": "helm-fish-completion-3.13.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-fish-completion-3.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.x86_64"
        },
        "product_reference": "helm-fish-completion-3.13.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-zsh-completion-3.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.aarch64"
        },
        "product_reference": "helm-zsh-completion-3.13.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-zsh-completion-3.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.ppc64le"
        },
        "product_reference": "helm-zsh-completion-3.13.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-zsh-completion-3.13.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.s390x"
        },
        "product_reference": "helm-zsh-completion-3.13.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm-zsh-completion-3.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.x86_64"
        },
        "product_reference": "helm-zsh-completion-3.13.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25173",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-25173"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm-3.13.0-2.1.aarch64",
          "openSUSE Tumbleweed:helm-3.13.0-2.1.ppc64le",
          "openSUSE Tumbleweed:helm-3.13.0-2.1.s390x",
          "openSUSE Tumbleweed:helm-3.13.0-2.1.x86_64",
          "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.aarch64",
          "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.ppc64le",
          "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.s390x",
          "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.x86_64",
          "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.aarch64",
          "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.ppc64le",
          "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.s390x",
          "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.x86_64",
          "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.aarch64",
          "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.ppc64le",
          "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.s390x",
          "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-25173",
          "url": "https://www.suse.com/security/cve/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208426 for CVE-2023-25173",
          "url": "https://bugzilla.suse.com/1208426"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215588 for CVE-2023-25173",
          "url": "https://bugzilla.suse.com/1215588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-3.13.0-2.1.x86_64",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.x86_64",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.x86_64",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-3.13.0-2.1.x86_64",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-bash-completion-3.13.0-2.1.x86_64",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-fish-completion-3.13.0-2.1.x86_64",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.aarch64",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.ppc64le",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.s390x",
            "openSUSE Tumbleweed:helm-zsh-completion-3.13.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-25173"
    }
  ]
}

OPENSUSE-SU-2025:15779-1

Vulnerability from csaf_opensuse - Published: 2025-11-28 00:00 - Updated: 2025-11-28 00:00

Summary

helm3-3.19.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: helm3-3.19.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the helm3-3.19.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-15779

CVE-2018-16873

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2018-16874

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2018-16875

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2021-21272

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2022-1996

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2022-23524

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23525

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact low

CVE-2022-23526

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact low

CVE-2022-36055

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2023-25165

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2023-25173

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-25620

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-26147

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-45337

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-45338

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2025-22870

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2025-22872

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2025-47911

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2025-53547

8.5 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2025-58190

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 16 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

70 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2018-16873/	self
https://www.suse.com/security/cve/CVE-2018-16874/	self
https://www.suse.com/security/cve/CVE-2018-16875/	self
https://www.suse.com/security/cve/CVE-2021-21272/	self
https://www.suse.com/security/cve/CVE-2022-1996/	self
https://www.suse.com/security/cve/CVE-2022-23524/	self
https://www.suse.com/security/cve/CVE-2022-23525/	self
https://www.suse.com/security/cve/CVE-2022-23526/	self
https://www.suse.com/security/cve/CVE-2022-36055/	self
https://www.suse.com/security/cve/CVE-2023-25165/	self
https://www.suse.com/security/cve/CVE-2023-25173/	self
https://www.suse.com/security/cve/CVE-2024-25620/	self
https://www.suse.com/security/cve/CVE-2024-26147/	self
https://www.suse.com/security/cve/CVE-2024-45337/	self
https://www.suse.com/security/cve/CVE-2024-45338/	self
https://www.suse.com/security/cve/CVE-2025-22870/	self
https://www.suse.com/security/cve/CVE-2025-22872/	self
https://www.suse.com/security/cve/CVE-2025-47911/	self
https://www.suse.com/security/cve/CVE-2025-53547/	self
https://www.suse.com/security/cve/CVE-2025-58190/	self
https://www.suse.com/security/cve/CVE-2018-16873	external
https://bugzilla.suse.com/1118897	external
https://bugzilla.suse.com/1118898	external
https://bugzilla.suse.com/1118899	external
https://www.suse.com/security/cve/CVE-2018-16874	external
https://bugzilla.suse.com/1118897	external
https://bugzilla.suse.com/1118898	external
https://bugzilla.suse.com/1118899	external
https://www.suse.com/security/cve/CVE-2018-16875	external
https://bugzilla.suse.com/1118897	external
https://bugzilla.suse.com/1118898	external
https://bugzilla.suse.com/1118899	external
https://www.suse.com/security/cve/CVE-2021-21272	external
https://bugzilla.suse.com/1181419	external
https://www.suse.com/security/cve/CVE-2022-1996	external
https://bugzilla.suse.com/1200528	external
https://www.suse.com/security/cve/CVE-2022-23524	external
https://bugzilla.suse.com/1206467	external
https://www.suse.com/security/cve/CVE-2022-23525	external
https://bugzilla.suse.com/1206469	external
https://www.suse.com/security/cve/CVE-2022-23526	external
https://bugzilla.suse.com/1206471	external
https://www.suse.com/security/cve/CVE-2022-36055	external
https://bugzilla.suse.com/1203054	external
https://www.suse.com/security/cve/CVE-2023-25165	external
https://bugzilla.suse.com/1208083	external
https://www.suse.com/security/cve/CVE-2023-25173	external
https://bugzilla.suse.com/1208426	external
https://bugzilla.suse.com/1215588	external
https://www.suse.com/security/cve/CVE-2024-25620	external
https://bugzilla.suse.com/1219969	external
https://www.suse.com/security/cve/CVE-2024-26147	external
https://bugzilla.suse.com/1220207	external
https://www.suse.com/security/cve/CVE-2024-45337	external
https://bugzilla.suse.com/1234482	external
https://www.suse.com/security/cve/CVE-2024-45338	external
https://bugzilla.suse.com/1234794	external
https://www.suse.com/security/cve/CVE-2025-22870	external
https://bugzilla.suse.com/1238572	external
https://bugzilla.suse.com/1238611	external
https://www.suse.com/security/cve/CVE-2025-22872	external
https://bugzilla.suse.com/1241710	external
https://www.suse.com/security/cve/CVE-2025-47911	external
https://bugzilla.suse.com/1251308	external
https://www.suse.com/security/cve/CVE-2025-53547	external
https://bugzilla.suse.com/1246150	external
https://www.suse.com/security/cve/CVE-2025-58190	external
https://bugzilla.suse.com/1251309	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "helm3-3.19.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the helm3-3.19.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15779",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15779-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-16873 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-16873/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-16874 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-16874/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-16875 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-16875/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-21272 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-21272/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-1996 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-1996/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23524 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23524/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23525 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23525/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23526 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23526/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-36055 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-36055/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-25165 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-25165/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-25173 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-25173/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-25620 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-25620/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26147 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26147/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45337 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45337/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45338 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45338/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22870 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22870/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22872 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22872/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-47911 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-47911/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-53547 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-53547/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58190 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58190/"
      }
    ],
    "title": "helm3-3.19.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-11-28T00:00:00Z",
      "generator": {
        "date": "2025-11-28T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15779-1",
      "initial_release_date": "2025-11-28T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-11-28T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm3-3.19.2-1.1.aarch64",
                "product": {
                  "name": "helm3-3.19.2-1.1.aarch64",
                  "product_id": "helm3-3.19.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-bash-completion-3.19.2-1.1.aarch64",
                "product": {
                  "name": "helm3-bash-completion-3.19.2-1.1.aarch64",
                  "product_id": "helm3-bash-completion-3.19.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-fish-completion-3.19.2-1.1.aarch64",
                "product": {
                  "name": "helm3-fish-completion-3.19.2-1.1.aarch64",
                  "product_id": "helm3-fish-completion-3.19.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-zsh-completion-3.19.2-1.1.aarch64",
                "product": {
                  "name": "helm3-zsh-completion-3.19.2-1.1.aarch64",
                  "product_id": "helm3-zsh-completion-3.19.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm3-3.19.2-1.1.ppc64le",
                "product": {
                  "name": "helm3-3.19.2-1.1.ppc64le",
                  "product_id": "helm3-3.19.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-bash-completion-3.19.2-1.1.ppc64le",
                "product": {
                  "name": "helm3-bash-completion-3.19.2-1.1.ppc64le",
                  "product_id": "helm3-bash-completion-3.19.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-fish-completion-3.19.2-1.1.ppc64le",
                "product": {
                  "name": "helm3-fish-completion-3.19.2-1.1.ppc64le",
                  "product_id": "helm3-fish-completion-3.19.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-zsh-completion-3.19.2-1.1.ppc64le",
                "product": {
                  "name": "helm3-zsh-completion-3.19.2-1.1.ppc64le",
                  "product_id": "helm3-zsh-completion-3.19.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm3-3.19.2-1.1.s390x",
                "product": {
                  "name": "helm3-3.19.2-1.1.s390x",
                  "product_id": "helm3-3.19.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-bash-completion-3.19.2-1.1.s390x",
                "product": {
                  "name": "helm3-bash-completion-3.19.2-1.1.s390x",
                  "product_id": "helm3-bash-completion-3.19.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-fish-completion-3.19.2-1.1.s390x",
                "product": {
                  "name": "helm3-fish-completion-3.19.2-1.1.s390x",
                  "product_id": "helm3-fish-completion-3.19.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-zsh-completion-3.19.2-1.1.s390x",
                "product": {
                  "name": "helm3-zsh-completion-3.19.2-1.1.s390x",
                  "product_id": "helm3-zsh-completion-3.19.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "helm3-3.19.2-1.1.x86_64",
                "product": {
                  "name": "helm3-3.19.2-1.1.x86_64",
                  "product_id": "helm3-3.19.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-bash-completion-3.19.2-1.1.x86_64",
                "product": {
                  "name": "helm3-bash-completion-3.19.2-1.1.x86_64",
                  "product_id": "helm3-bash-completion-3.19.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-fish-completion-3.19.2-1.1.x86_64",
                "product": {
                  "name": "helm3-fish-completion-3.19.2-1.1.x86_64",
                  "product_id": "helm3-fish-completion-3.19.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "helm3-zsh-completion-3.19.2-1.1.x86_64",
                "product": {
                  "name": "helm3-zsh-completion-3.19.2-1.1.x86_64",
                  "product_id": "helm3-zsh-completion-3.19.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64"
        },
        "product_reference": "helm3-3.19.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le"
        },
        "product_reference": "helm3-3.19.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x"
        },
        "product_reference": "helm3-3.19.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64"
        },
        "product_reference": "helm3-3.19.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-bash-completion-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64"
        },
        "product_reference": "helm3-bash-completion-3.19.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-bash-completion-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le"
        },
        "product_reference": "helm3-bash-completion-3.19.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-bash-completion-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x"
        },
        "product_reference": "helm3-bash-completion-3.19.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-bash-completion-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64"
        },
        "product_reference": "helm3-bash-completion-3.19.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-fish-completion-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64"
        },
        "product_reference": "helm3-fish-completion-3.19.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-fish-completion-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le"
        },
        "product_reference": "helm3-fish-completion-3.19.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-fish-completion-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x"
        },
        "product_reference": "helm3-fish-completion-3.19.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-fish-completion-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64"
        },
        "product_reference": "helm3-fish-completion-3.19.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-zsh-completion-3.19.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64"
        },
        "product_reference": "helm3-zsh-completion-3.19.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-zsh-completion-3.19.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le"
        },
        "product_reference": "helm3-zsh-completion-3.19.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-zsh-completion-3.19.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x"
        },
        "product_reference": "helm3-zsh-completion-3.19.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "helm3-zsh-completion-3.19.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        },
        "product_reference": "helm3-zsh-completion-3.19.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-16873",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-16873"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-16873",
          "url": "https://www.suse.com/security/cve/CVE-2018-16873"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118897 for CVE-2018-16873",
          "url": "https://bugzilla.suse.com/1118897"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118898 for CVE-2018-16873",
          "url": "https://bugzilla.suse.com/1118898"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118899 for CVE-2018-16873",
          "url": "https://bugzilla.suse.com/1118899"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-16873"
    },
    {
      "cve": "CVE-2018-16874",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-16874"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-16874",
          "url": "https://www.suse.com/security/cve/CVE-2018-16874"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118897 for CVE-2018-16874",
          "url": "https://bugzilla.suse.com/1118897"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118898 for CVE-2018-16874",
          "url": "https://bugzilla.suse.com/1118898"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118899 for CVE-2018-16874",
          "url": "https://bugzilla.suse.com/1118899"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-16874"
    },
    {
      "cve": "CVE-2018-16875",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-16875"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-16875",
          "url": "https://www.suse.com/security/cve/CVE-2018-16875"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118897 for CVE-2018-16875",
          "url": "https://bugzilla.suse.com/1118897"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118898 for CVE-2018-16875",
          "url": "https://bugzilla.suse.com/1118898"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118899 for CVE-2018-16875",
          "url": "https://bugzilla.suse.com/1118899"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-16875"
    },
    {
      "cve": "CVE-2021-21272",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-21272"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-21272",
          "url": "https://www.suse.com/security/cve/CVE-2021-21272"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1181419 for CVE-2021-21272",
          "url": "https://bugzilla.suse.com/1181419"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-21272"
    },
    {
      "cve": "CVE-2022-1996",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-1996"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-1996",
          "url": "https://www.suse.com/security/cve/CVE-2022-1996"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200528 for CVE-2022-1996",
          "url": "https://bugzilla.suse.com/1200528"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2022-1996"
    },
    {
      "cve": "CVE-2022-23524",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23524"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23524",
          "url": "https://www.suse.com/security/cve/CVE-2022-23524"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1206467 for CVE-2022-23524",
          "url": "https://bugzilla.suse.com/1206467"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23524"
    },
    {
      "cve": "CVE-2022-23525",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23525"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23525",
          "url": "https://www.suse.com/security/cve/CVE-2022-23525"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1206469 for CVE-2022-23525",
          "url": "https://bugzilla.suse.com/1206469"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2022-23525"
    },
    {
      "cve": "CVE-2022-23526",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23526"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23526",
          "url": "https://www.suse.com/security/cve/CVE-2022-23526"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1206471 for CVE-2022-23526",
          "url": "https://bugzilla.suse.com/1206471"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2022-23526"
    },
    {
      "cve": "CVE-2022-36055",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-36055"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-36055",
          "url": "https://www.suse.com/security/cve/CVE-2022-36055"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1203054 for CVE-2022-36055",
          "url": "https://bugzilla.suse.com/1203054"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-36055"
    },
    {
      "cve": "CVE-2023-25165",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-25165"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-25165",
          "url": "https://www.suse.com/security/cve/CVE-2023-25165"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208083 for CVE-2023-25165",
          "url": "https://bugzilla.suse.com/1208083"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-25165"
    },
    {
      "cve": "CVE-2023-25173",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-25173"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.\n\nThis bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd\u0027s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-25173",
          "url": "https://www.suse.com/security/cve/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208426 for CVE-2023-25173",
          "url": "https://bugzilla.suse.com/1208426"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215588 for CVE-2023-25173",
          "url": "https://bugzilla.suse.com/1215588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-25173"
    },
    {
      "cve": "CVE-2024-25620",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-25620"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-25620",
          "url": "https://www.suse.com/security/cve/CVE-2024-25620"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219969 for CVE-2024-25620",
          "url": "https://bugzilla.suse.com/1219969"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-25620"
    },
    {
      "cve": "CVE-2024-26147",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26147"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26147",
          "url": "https://www.suse.com/security/cve/CVE-2024-26147"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220207 for CVE-2024-26147",
          "url": "https://bugzilla.suse.com/1220207"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-26147"
    },
    {
      "cve": "CVE-2024-45337",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45337"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45337",
          "url": "https://www.suse.com/security/cve/CVE-2024-45337"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234482 for CVE-2024-45337",
          "url": "https://bugzilla.suse.com/1234482"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-45337"
    },
    {
      "cve": "CVE-2024-45338",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45338"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45338",
          "url": "https://www.suse.com/security/cve/CVE-2024-45338"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234794 for CVE-2024-45338",
          "url": "https://bugzilla.suse.com/1234794"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45338"
    },
    {
      "cve": "CVE-2025-22870",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22870"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22870",
          "url": "https://www.suse.com/security/cve/CVE-2025-22870"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238572 for CVE-2025-22870",
          "url": "https://bugzilla.suse.com/1238572"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238611 for CVE-2025-22870",
          "url": "https://bugzilla.suse.com/1238611"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-22870"
    },
    {
      "cve": "CVE-2025-22872",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22872"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22872",
          "url": "https://www.suse.com/security/cve/CVE-2025-22872"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1241710 for CVE-2025-22872",
          "url": "https://bugzilla.suse.com/1241710"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-22872"
    },
    {
      "cve": "CVE-2025-47911",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-47911"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-47911",
          "url": "https://www.suse.com/security/cve/CVE-2025-47911"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251308 for CVE-2025-47911",
          "url": "https://bugzilla.suse.com/1251308"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-47911"
    },
    {
      "cve": "CVE-2025-53547",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-53547"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-53547",
          "url": "https://www.suse.com/security/cve/CVE-2025-53547"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246150 for CVE-2025-53547",
          "url": "https://bugzilla.suse.com/1246150"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-53547"
    },
    {
      "cve": "CVE-2025-58190",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58190"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
          "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58190",
          "url": "https://www.suse.com/security/cve/CVE-2025-58190"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251309 for CVE-2025-58190",
          "url": "https://bugzilla.suse.com/1251309"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1.x86_64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.aarch64",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.ppc64le",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.s390x",
            "openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-28T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-58190"
    }
  ]
}

RHEA-2023:7493

Vulnerability from csaf_redhat - Published: 2023-11-27 11:44 - Updated: 2026-06-02 17:36

Summary

Red Hat Enhancement Advisory: OpenShift sandboxed containers 1.5.0 update

Severity

Moderate

Notes

Topic: OpenShift sandboxed containers 1.5.0 is now available.

Details: OpenShift sandboxed containers support for OpenShift Container Platform provides users with built-in support for running Kata containers as an additional, optional runtime. This advisory contains an update for OpenShift sandboxed containers with enhancements and bug fixes. Space precludes documenting all of the updates to OpenShift sandboxed containers in this advisory. See the Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://access.redhat.com/documentation/en-us/openshift_sandboxed_containers/1.5/html-single/openshift_sandboxed_containers_release_notes/

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2023-25173

A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information or gain the ability to execute code in that container.

7.3 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-842 - Placement of User into Incorrect Group

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x		—	Vendor Fix fix
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64		—	Vendor Fix fix

Known not affected 12 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64		—
Unresolved product id: 9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x		—

Threats

Impact Moderate

References

31 references

URL	Category
https://access.redhat.com/errata/RHEA-2023:7493	self
https://issues.redhat.com/browse/KATA-2135	external
https://issues.redhat.com/browse/KATA-2251	external
https://issues.redhat.com/browse/KATA-2302	external
https://issues.redhat.com/browse/KATA-2317	external
https://issues.redhat.com/browse/KATA-2321	external
https://issues.redhat.com/browse/KATA-2402	external
https://issues.redhat.com/browse/KATA-2411	external
https://issues.redhat.com/browse/KATA-2451	external
https://issues.redhat.com/browse/KATA-2452	external
https://issues.redhat.com/browse/KATA-2453	external
https://issues.redhat.com/browse/KATA-2454	external
https://issues.redhat.com/browse/KATA-2461	external
https://issues.redhat.com/browse/KATA-2462	external
https://issues.redhat.com/browse/KATA-2463	external
https://issues.redhat.com/browse/KATA-2464	external
https://issues.redhat.com/browse/KATA-2465	external
https://issues.redhat.com/browse/KATA-2466	external
https://issues.redhat.com/browse/KATA-2475	external
https://issues.redhat.com/browse/KATA-2476	external
https://issues.redhat.com/browse/KATA-2515	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2023-25173	self
https://bugzilla.redhat.com/show_bug.cgi?id=2174485	external
https://www.cve.org/CVERecord?id=CVE-2023-25173	external
https://nvd.nist.gov/vuln/detail/CVE-2023-25173	external
https://github.com/containerd/containerd/commit/1…	external
https://github.com/containerd/containerd/releases…	external
https://github.com/containerd/containerd/releases…	external
https://github.com/containerd/containerd/security…	external
https://www.benthamsgaze.org/2022/08/22/vulnerabi…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "OpenShift sandboxed containers 1.5.0 is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift sandboxed containers support for OpenShift Container Platform\nprovides users with built-in support for running Kata containers as an\nadditional, optional runtime.\n\nThis advisory contains an update for OpenShift sandboxed containers with enhancements and bug fixes.\n\nSpace precludes documenting all of the updates to OpenShift sandboxed\ncontainers in this advisory. See the Release Notes documentation,\nwhich will be updated shortly for this release, for details about these\nchanges:\n\nhttps://access.redhat.com/documentation/en-us/openshift_sandboxed_containers/1.5/html-single/openshift_sandboxed_containers_release_notes/",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2023:7493",
        "url": "https://access.redhat.com/errata/RHEA-2023:7493"
      },
      {
        "category": "external",
        "summary": "KATA-2135",
        "url": "https://issues.redhat.com/browse/KATA-2135"
      },
      {
        "category": "external",
        "summary": "KATA-2251",
        "url": "https://issues.redhat.com/browse/KATA-2251"
      },
      {
        "category": "external",
        "summary": "KATA-2302",
        "url": "https://issues.redhat.com/browse/KATA-2302"
      },
      {
        "category": "external",
        "summary": "KATA-2317",
        "url": "https://issues.redhat.com/browse/KATA-2317"
      },
      {
        "category": "external",
        "summary": "KATA-2321",
        "url": "https://issues.redhat.com/browse/KATA-2321"
      },
      {
        "category": "external",
        "summary": "KATA-2402",
        "url": "https://issues.redhat.com/browse/KATA-2402"
      },
      {
        "category": "external",
        "summary": "KATA-2411",
        "url": "https://issues.redhat.com/browse/KATA-2411"
      },
      {
        "category": "external",
        "summary": "KATA-2451",
        "url": "https://issues.redhat.com/browse/KATA-2451"
      },
      {
        "category": "external",
        "summary": "KATA-2452",
        "url": "https://issues.redhat.com/browse/KATA-2452"
      },
      {
        "category": "external",
        "summary": "KATA-2453",
        "url": "https://issues.redhat.com/browse/KATA-2453"
      },
      {
        "category": "external",
        "summary": "KATA-2454",
        "url": "https://issues.redhat.com/browse/KATA-2454"
      },
      {
        "category": "external",
        "summary": "KATA-2461",
        "url": "https://issues.redhat.com/browse/KATA-2461"
      },
      {
        "category": "external",
        "summary": "KATA-2462",
        "url": "https://issues.redhat.com/browse/KATA-2462"
      },
      {
        "category": "external",
        "summary": "KATA-2463",
        "url": "https://issues.redhat.com/browse/KATA-2463"
      },
      {
        "category": "external",
        "summary": "KATA-2464",
        "url": "https://issues.redhat.com/browse/KATA-2464"
      },
      {
        "category": "external",
        "summary": "KATA-2465",
        "url": "https://issues.redhat.com/browse/KATA-2465"
      },
      {
        "category": "external",
        "summary": "KATA-2466",
        "url": "https://issues.redhat.com/browse/KATA-2466"
      },
      {
        "category": "external",
        "summary": "KATA-2475",
        "url": "https://issues.redhat.com/browse/KATA-2475"
      },
      {
        "category": "external",
        "summary": "KATA-2476",
        "url": "https://issues.redhat.com/browse/KATA-2476"
      },
      {
        "category": "external",
        "summary": "KATA-2515",
        "url": "https://issues.redhat.com/browse/KATA-2515"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhea-2023_7493.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: OpenShift sandboxed containers 1.5.0 update",
    "tracking": {
      "current_release_date": "2026-06-02T17:36:48+00:00",
      "generator": {
        "date": "2026-06-02T17:36:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHEA-2023:7493",
      "initial_release_date": "2023-11-27T11:44:10+00:00",
      "revision_history": [
        {
          "date": "2023-11-27T11:44:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-11-27T11:44:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-02T17:36:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Sandboxed Containers 1.5",
                "product": {
                  "name": "OpenShift Sandboxed Containers 1.5",
                  "product_id": "9Base-OSE-OSC-1.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1.5.0::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9\u0026tag=1.5.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9\u0026tag=1.5.0-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-operator-bundle\u0026tag=1.5.0-45"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator\u0026tag=1.5.0-14"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
                  "product_id": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9\u0026tag=1.5.0-12"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9\u0026tag=1.5.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9\u0026tag=1.5.0-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9\u0026tag=1.5.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-operator-bundle\u0026tag=1.5.0-45"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-rhel9-operator\u0026tag=1.5.0-14"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
                "product": {
                  "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
                  "product_id": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078?arch=s390x\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9\u0026tag=1.5.0-12"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x"
        },
        "product_reference": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64 as a component of OpenShift Sandboxed Containers 1.5",
          "product_id": "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
        },
        "product_reference": "openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64",
        "relates_to_product_reference": "9Base-OSE-OSC-1.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25173",
      "cwe": {
        "id": "CWE-842",
        "name": "Placement of User into Incorrect Group"
      },
      "discovery_date": "2023-03-01T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2174485"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information or gain the ability to execute code in that container.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "containerd: Supplementary groups are not set up properly",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The following products include containerd related code, but do not use the specific Go packages impacted by this CVE, `containerd/cri/server` and `containerd/oci`. This CVE is therefore rated Low for these products:\n\n* OpenShift Container Platform\n* OpenShift Service Mesh\n* OpenShift API for Data Protection\n* Red Hat Advanced Cluster Security\n* Red Hat Advanced Cluster Management for Kubernetes",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
        ],
        "known_not_affected": [
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
          "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "RHBZ#2174485",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174485"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-25173",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a",
          "url": "https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/releases/tag/v1.5.18",
          "url": "https://github.com/containerd/containerd/releases/tag/v1.5.18"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/releases/tag/v1.6.18",
          "url": "https://github.com/containerd/containerd/releases/tag/v1.6.18"
        },
        {
          "category": "external",
          "summary": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p",
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p"
        },
        {
          "category": "external",
          "summary": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/",
          "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/"
        }
      ],
      "release_date": "2023-02-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-27T11:44:10+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2023:7493"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:aca3d50071c30b75433140f703f4a0dd8210aa07600ea94c2b1c2fbf27173893_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:ceb940eac3a9706d189549d363820f867bf5d3768b26e62aeb247a42e3a0dd93_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:69407c8df88c2b041462f1c111ce348156010af0c483ab3189e776843799b1e5_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:d0277285d246d2015f0a94df01824801430831cfc767c9ccbb1688a9ec4dd743_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:0cdbaed1c4e0fab4dd2ab109bfeb364997731ae8ef7c4e84b8cac397835f2053_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-monitor-rhel9@sha256:dce657064e74cf9790aeb155ecdf49b336311dd3afc76681f6e979110d8d6b10_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:8ead5cc2fba3a375f48748eb6dd2883728e1ac62f8afc6503bc4e034164a535c_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:91f6a0ab0f45b384850c0fec87a38bf9bf3455cfde4720975e646c542b00d6b7_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:ab665121f5a9e3a9d7f7db76ff4c9d81bf2868a06a4deb6e13436b3a4f096823_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-operator-bundle@sha256:e51e8c3e5fc5fc24c1488303e2d92adf101813d1593add947558336c40127dc4_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:112f7dd50d65cdb5046ac16e88ceed3804f6861fc7271db2a2b842b0b4931360_amd64",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:989610c8ad1eb4b71be1498e40cca9b76d7edad27712fd165d3564c9d4006078_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:32af14d95384759d0bc71c5a3243de5ed5baad46c115d32d5c87ff2379554067_s390x",
            "9Base-OSE-OSC-1.5:openshift-sandboxed-containers/osc-rhel9-operator@sha256:4adb6f488fa6e2ee6e1a59665cecb49cebc0d0de6b8790abb3b1001f40f2a5fd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "containerd: Supplementary groups are not set up properly"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-25173 (GCVE-0-2023-25173)

Solutions

Solutions

Impact

Patches

Workarounds

References

For more information

Tags

Sightings

Nomenclature