SB2024022029 - SUSE update for Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024022029

SB2024022029 - SUSE update for Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Published: February 20, 2024

Security Bulletin ID SB2024022029
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Insufficient entropy (CVE-ID: CVE-2023-31582)

The vulnerability allows a remote attacker to brute-force JWT token.

The vulnerability exists due to usage of insufficient entropy when generating JWT token. A remote attacker can brute-force the JWT token and gain unauthorized access to the application.


2) Path traversal (CVE-ID: CVE-2023-32189)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in SUSE Manager when processing directory traversal sequences in the private SSH key file name when creating a new user. A remote user can pass a specially crafted filename to the application and overwrite arbitrary files on the system.


Remediation

Install update from vendor's website.

References