SUSE update for libuv
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-24806 |
| CWE-ID | CWE-918 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Basesystem Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system SUSE Linux Enterprise Micro Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system libuv1-64bit Operating systems & Components / Operating system package or component libuv1-64bit-debuginfo Operating systems & Components / Operating system package or component libuv1-32bit-debuginfo Operating systems & Components / Operating system package or component libuv1-32bit Operating systems & Components / Operating system package or component libuv-devel Operating systems & Components / Operating system package or component libuv-debugsource Operating systems & Components / Operating system package or component libuv1 Operating systems & Components / Operating system package or component libuv1-debuginfo Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU86707
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-24806
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling hostnames longer than 256 characters within the uv_getaddrinfo() function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c. A remote attacker can pass a specially crafted hostname to the application, which can be resolved to an attacker controlled IP address and initiate unauthorized requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationUpdate the affected package libuv to the latest version.
Vulnerable software versionsBasesystem Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP5 - SP6
SUSE Linux Enterprise Server 15: SP5 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Micro: 5.5
SUSE Linux Enterprise High Performance Computing 15: SP5
libuv1-64bit: before 1.44.2-150500.3.5.1
libuv1-64bit-debuginfo: before 1.44.2-150500.3.5.1
libuv1-32bit-debuginfo: before 1.44.2-150500.3.5.1
libuv1-32bit: before 1.44.2-150500.3.5.1
libuv-devel: before 1.44.2-150500.3.5.1
libuv-debugsource: before 1.44.2-150500.3.5.1
libuv1: before 1.44.2-150500.3.5.1
libuv1-debuginfo: before 1.44.2-150500.3.5.1
CPE2.3- cpe:2.3:o:suse:basesystem_module:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:basesystem_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_micro:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:a:suse:libuv1-64bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv1-64bit-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv1-32bit-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv1-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv1:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libuv1-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20244109-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
