SB20250619109 - SUSE update for pam
Published: June 19, 2025 Updated: February 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Configuration (CVE-ID: CVE-2025-6018)
CWE-ID: CWE-16 - Configuration
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
The issue may allow a local user to escalate privileges on the system.
The issue exists due an error in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. An unprivileged user who logs in via sshd can force the pam_env module to add arbitrary variables to PAM's environment, leading to arbitrary code execution as root.
2) Improper access control (CVE-ID: CVE-2025-6020)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions within the pam_namespace module when handling user-controlled paths. A local user can use specially crafted symlinks and race conditions to execute arbitrary code as root.
Remediation
Install update from vendor's website.