SB2024022023 - SUSE update for SUSE Manager 4.3.11 Release Notes

Security Bulletin ID SB2024022023

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2023-32189)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in SUSE Manager when processing directory traversal sequences in the private SSH key file name when creating a new user. A remote user can pass a specially crafted filename to the application and overwrite arbitrary files on the system.

2) Path traversal (CVE-ID: CVE-2024-22231)

The vulnerability allows a remote user to create arbitrary directories.

The vulnerability exists due to input validation error when processing directory traversal sequences during Syndic cache directory creation. A remote user can create arbitrary directories on the Salt master.

3) Path traversal (CVE-ID: CVE-2024-22232)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files Salt master’s filesystem.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2024/suse-su-20240513-1/

SB2024022023 - SUSE update for SUSE Manager 4.3.11 Release Notes

Breakdown by Severity

Description

Remediation

References

Please verify you're human