SB2025021742 - SUSE update for SUSE Manager Client Tools
Published: February 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2023-3128)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in Azure AD OAuth implementation. Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. A remote attacker can modify their profile and provide the email address of an existing Grafana user, bypass authentication process and gain unauthorized access to the application.
The vulnerability affects Grafana installations with Azure AD OAuth configured for a multi-tenant app.
2) Incorrect authorization (CVE-ID: CVE-2023-6152)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass email verification.
The vulnerability exists due to email addresses are verified only during sign up, if "verify_email_enabled" option is set. A remote attacker can register an account and then set an arbitrary email address without verification.
3) Information disclosure (CVE-ID: CVE-2024-22037)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the uyuni-server-attestation systemd service uses the database_password environment variable to store password. A local user can obtain the password via systemd.
4) Improper authorization (CVE-ID: CVE-2024-45337)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.
5) Insufficient technical documentation (CVE-ID: CVE-2024-51744)
CWE-ID: CWE-1059 - Insufficient Technical Documentation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due due to unclear documentation of the error behavior in "ParseWithClaims". A remote attacker can trick the victim into accepting invalid tokens, which can lead to information disclosure.
6) Cross-site scripting (CVE-ID: CVE-2024-6837)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "/swagger" endpoint. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Improper access control (CVE-ID: CVE-2024-8118)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to wrong permission is applied to the alert rule write API endpoint. A remote user with permission to write external alert instances can also write alert rules.
Remediation
Install update from vendor's website.