Main Vulnerability Database SB2023050424

SB2023050424 - SUSE update for maven and recommended update for antlr3, minlog, sbt, xmvn

Published: May 4, 2023

Security Bulletin ID SB2023050424

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Code Injection (CVE-ID: CVE-2021-42550)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request to the application and execute arbitrary code on the target system by tricking the application to load a malicious configuration from a remote LDAP server.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2023/suse-su-20232097-1/

Vulnerable Software

SUSE Linux Enterprise Server for SAP Applications 15: SP2 - SP4
SUSE Linux Enterprise High Performance Computing 15: SP2 - SP4
SUSE Linux Enterprise Server 15: SP2 - SP4
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise Real Time 15: SP3 - SP4
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP3
SUSE Linux Enterprise Desktop 15: SP4
SUSE Manager Proxy: 4.3
SUSE Manager Server Module: 4.3
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Enterprise Storage: 7.1
SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2
SUSE Linux Enterprise Server 15 SP3 LTSS: 15-SP3
Development Tools Module: 15-SP4
openSUSE Leap: 15.4
sbt-bootstrap: before 0.13.18-150200.4.7.8
sbt: before 0.13.18-150200.4.7.8
minlog-javadoc: before 1.3.1-150200.3.7.8
minlog: before 1.3.1-150200.3.7.8
antlr3-bootstrap-tool: before 3.5.3-150200.3.11.8
antlr3-java: before 3.5.3-150200.3.11.8
antlr3-tool: before 3.5.3-150200.3.11.8
antlr3-java-javadoc: before 3.5.3-150200.3.11.8
antlr3-javadoc: before 3.5.3-150200.3.11.8
maven-lib: before 3.8.6-150200.4.9.8
maven: before 3.8.6-150200.4.9.8
maven-javadoc: before 3.8.6-150200.4.9.8
xmvn-parent: before 4.0.0-150200.3.7.1
xmvn-resolve: before 4.0.0-150200.3.7.1
xmvn-tools-javadoc: before 4.0.0-150200.3.7.1
xmvn-install: before 4.0.0-150200.3.7.1
xmvn-subst: before 4.0.0-150200.3.7.1
xmvn-core: before 4.0.0-150200.3.7.1
xmvn: before 4.0.0-150200.3.7.1
xmvn-minimal: before 4.0.0-150200.3.7.1
xmvn-api: before 4.0.0-150200.3.7.1
xmvn-connector: before 4.0.0-150200.3.7.3
xmvn-connector-javadoc: before 4.0.0-150200.3.7.3
xmvn-mojo-javadoc: before 4.0.0-150200.3.7.8
xmvn-mojo: before 4.0.0-150200.3.7.8

SB2023050424 - SUSE update for maven and recommended update for antlr3, minlog, sbt, xmvn

Breakdown by Severity

Description

Remediation

References

Please verify you're human