SB2024012352 - SUSE update for Security Beta update for SUSE Manager Client Tools and Salt 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024012352

SB2024012352 - SUSE update for Security Beta update for SUSE Manager Client Tools and Salt

Published: January 23, 2024 Updated: February 21, 2025

Security Bulletin ID SB2024012352
Severity
High
Patch available
YES
Number of vulnerabilities 44
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 39% Low 48%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 44 secuirty vulnerabilities.


1) Incorrect Regular Expression (CVE-ID: CVE-2020-7753)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-20178)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the snmp_facts module in Ansible discloses 'authkey' and 'privkey' credentials. A local user with access to the output of playbook execution can obtain SNMP credentials.


3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-20180)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the bitbucket_pipeline_variable module in ansible-collection discloses by default credentials in the console log. A local user can obtain bitbucket_pipeline credentials.


4) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-20191)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.


5) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-20228)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files in the Ansible Engine|. A local user can read the log files and gain access to sensitive data.


6) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-3447)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. A local user can read the log files and gain access to sensitive data.


7) Code Injection (CVE-ID: CVE-2021-3583)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when processing yaml multi-line strings with ansible facts in templates. A remote attacker can trick the victim to open a specially crafted yaml template and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Information Exposure Through an Error Message (CVE-ID: CVE-2021-3620)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in the Ansible Engine's ansible-connection module. The Ansible user credentials is disclosed by default in the traceback error message. A remote attacker with ability to intercept traffic can obtain user's credentials.


9) NULL pointer dereference (CVE-ID: CVE-2021-36222)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5). A remote attacker can send a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST and perform a denial of service (DoS) attack.


10) Buffer overflow (CVE-ID: CVE-2021-3711)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in EVP_PKEY_decrypt() function within implementation of the SM2 decryption. A remote attacker can send specially crafted SM2 content for decryption to trigger a buffer overflow by 62 bytes and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


11) Input validation error (CVE-ID: CVE-2021-3807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


12) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.


13) Cross-site scripting (CVE-ID: CVE-2021-41174)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


14) Incorrect authorization (CVE-ID: CVE-2021-41244)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper access control in fine-grained access control feature. A remote user with an admin role in one organization can list, add, remove, and update users’ roles in other organizations in which he is not an admin.


15) Prototype pollution (CVE-ID: CVE-2021-43138)

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper input validation when handling data passed via the mapValues() method. A remote attacker can send a specially crafted request and escalate privileges within the application.


16) Path traversal (CVE-ID: CVE-2021-43798)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences, passed after the "/public/plugins/" URL. A remote non-authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.


17) Path traversal (CVE-ID: CVE-2021-43813)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


18) Path traversal (CVE-ID: CVE-2021-43815)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing .csv files. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


19) Information disclosure (CVE-ID: CVE-2022-0155)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.


20) Stored cross-site scripting (CVE-ID: CVE-2022-23552)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user with the Editor role can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


21) Input validation error (CVE-ID: CVE-2022-27664)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


22) Input validation error (CVE-ID: CVE-2022-29170)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP Host header during redirection. A remote attacker can perform spoofing attack.


23) Stored cross-site scripting (CVE-ID: CVE-2022-31097)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


24) Improper Authentication (CVE-ID: CVE-2022-31107)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in OAuth implementation routine. A remote attacker can bypass authentication process and login under arbitrary account.


25) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-31123)

The vulnerability allows a remote attacker to compromise the affected instance.

The vulnerability exists due to missing signature verification mechanism. A remote attacker can trick the server admin into installing a malicious plugin even though unsigned plugins are not allowed.


26) Information disclosure (CVE-ID: CVE-2022-31130)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the GitLab data source plugin leaks the API key to GitLab. A remote privileged user can expose Grafana authentication token to a third-party.


27) Resource exhaustion (CVE-ID: CVE-2022-32149)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to ParseAcceptLanguage does not properly control consumption of internal resources. A remote attacker can send a specially crafted Accept-Language header that will take a significant time to parse and perform a denial of service (DoS) attack.


28) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2022-35957)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to the way Grafana handles authorization process when Auth proxy authentication is used. A remote user with admin privileges can authenticate as Server Admin by providing the username (or email) in a X-WEBAUTH-USER HTTP header.


29) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-36062)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.


30) Information disclosure (CVE-ID: CVE-2022-39201)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to Grafana leaks the authentication cookie of users to plugins. A remote user can gain unauthorized access to sensitive information.


31) Improper Authentication (CVE-ID: CVE-2022-39229)

The vulnerability allows a remote attacker to deny access to the application.

The vulnerability exists due to a logic error in the authentication process, where application allows usage of the same email address by different accounts. A remote user can set an existing email address that belongs to another user as their username and prevent that user from accessing the application.


32) Input validation error (CVE-ID: CVE-2022-39306)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use the invitation link to sign up with an arbitrary username/email with a malicious intent.


33) Information disclosure (CVE-ID: CVE-2022-39307)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when using the forget password on the login page. A remote attacker can gain unauthorized access to sensitive information on the system.


34) Spoofing attack (CVE-ID: CVE-2022-39324)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to usage of a hidden originalUrl parameter in the shared dashboard. A remote attacker can trick the victim into opening a shared snapshot and click on the button in the Grafana web UI, which will redirect user to an attacker-controlled URL.


35) Resource exhaustion (CVE-ID: CVE-2022-41715)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in regexp/syntax when handling regular expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


36) Resource exhaustion (CVE-ID: CVE-2022-41723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.


37) Use of Password Hash Instead of Password for Authentication (CVE-ID: CVE-2022-46146)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to incorrect implementation of basic authentication. A remote attacker with knowledge of the password hash can authenticate against Prometheus without actual knowledge of the password.


38) Stored cross-site scripting (CVE-ID: CVE-2023-0507)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the GeoMap plugin. A remote user with the Editor role can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


39) Stored cross-site scripting (CVE-ID: CVE-2023-0594)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the trace view visualization. A remote user the Editor role can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


40) Information disclosure (CVE-ID: CVE-2023-1387)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to application allows users to login with a JWT token passed in the URL query parameter auth_token. A remote attacker can intercept the query and gain unauthorized access to the application.


41) Stored cross-site scripting (CVE-ID: CVE-2023-1410)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Graphite FunctionDescription tooltip. A remote user can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


42) Missing Authorization (CVE-ID: CVE-2023-2183)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to missing authorization in the alerts feature within API. A remote user can use the API to send multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.


43) Improper synchronization (CVE-ID: CVE-2023-2801)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect synchronization when processing multiple requests. A remote user can query multiple distinct data sources using mixed queries via public dashboard or API and crash Grafana instances.


44) Improper Authentication (CVE-ID: CVE-2023-3128)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in Azure AD OAuth implementation. Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. A remote attacker can modify their profile and provide the email address of  an existing Grafana user, bypass authentication process and gain unauthorized access to the application.

The vulnerability affects Grafana installations with Azure AD OAuth configured for a multi-tenant app.



Remediation

Install update from vendor's website.

References