SB2024021616 - SUSE update for SUSE Manager Client Tools 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024021616

SB2024021616 - SUSE update for SUSE Manager Client Tools

Published: February 16, 2024 Updated: February 21, 2025

Security Bulletin ID SB2024021616
Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 22% Medium 44% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Incorrect Regular Expression (CVE-ID: CVE-2020-7753)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


2) Input validation error (CVE-ID: CVE-2021-3807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


3) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.


4) Prototype pollution (CVE-ID: CVE-2021-43138)

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to improper input validation when handling data passed via the mapValues() method. A remote attacker can send a specially crafted request and escalate privileges within the application.


5) Path traversal (CVE-ID: CVE-2021-43798)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences, passed after the "/public/plugins/" URL. A remote non-authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.


6) Path traversal (CVE-ID: CVE-2021-43815)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing .csv files. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


7) Information disclosure (CVE-ID: CVE-2022-0155)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.


8) Resource exhaustion (CVE-ID: CVE-2022-41715)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in regexp/syntax when handling regular expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


9) Stored cross-site scripting (CVE-ID: CVE-2023-40577)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to the /api/v1/alerts endpoint in the Alertmanager UI. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.


Remediation

Install update from vendor's website.

References