SUSE update for lasso
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2025-46404 CVE-2025-46705 CVE-2025-47151 |
| CWE-ID | CWE-476 CWE-617 CWE-843 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Server Applications Module Operating systems & Components / Operating system SUSE Package Hub 15 Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system liblasso3-debuginfo Operating systems & Components / Operating system package or component lasso-debugsource Operating systems & Components / Operating system package or component python3-lasso Operating systems & Components / Operating system package or component liblasso3 Operating systems & Components / Operating system package or component liblasso-devel Operating systems & Components / Operating system package or component python3-lasso-debuginfo Operating systems & Components / Operating system package or component lasso-debuginfo Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU118160
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-46404
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the lasso_provider_verify_saml_signature functionality. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package lasso to the latest version.
Vulnerable software versionsServer Applications Module: 15-SP6 - 15-SP7
SUSE Package Hub 15: 15-SP6 - 15-SP7
SUSE Linux Enterprise Real Time 15: SP6 - SP7
SUSE Linux Enterprise Server for SAP Applications 15: SP6 - SP7
SUSE Linux Enterprise Server 15: SP6 - SP7
SUSE Linux Enterprise Desktop 15: SP6 - SP7
openSUSE Leap: 15.6
liblasso3-debuginfo: before 2.8.2-150600.3.5.1
lasso-debugsource: before 2.8.2-150600.3.5.1
python3-lasso: before 2.8.2-150600.3.5.1
liblasso3: before 2.8.2-150600.3.5.1
liblasso-devel: before 2.8.2-150600.3.5.1
python3-lasso-debuginfo: before 2.8.2-150600.3.5.1
lasso-debuginfo: before 2.8.2-150600.3.5.1
CPE2.3- cpe:2.3:o:suse:server_applications_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:server_applications_module:15-SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:a:suse:liblasso3-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:lasso-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:python3-lasso:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:liblasso3:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:liblasso-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:python3-lasso-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:lasso-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2025/suse-su-20254068-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Reachable assertion
EUVDB-ID: #VU118159
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-46705
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in the g_assert_not_reached functionality. A remote attacker can use a specially crafted SAML assertion response and cause a denial of service (DoS) attack.
MitigationUpdate the affected package lasso to the latest version.
Vulnerable software versionsServer Applications Module: 15-SP6 - 15-SP7
SUSE Package Hub 15: 15-SP6 - 15-SP7
SUSE Linux Enterprise Real Time 15: SP6 - SP7
SUSE Linux Enterprise Server for SAP Applications 15: SP6 - SP7
SUSE Linux Enterprise Server 15: SP6 - SP7
SUSE Linux Enterprise Desktop 15: SP6 - SP7
openSUSE Leap: 15.6
liblasso3-debuginfo: before 2.8.2-150600.3.5.1
lasso-debugsource: before 2.8.2-150600.3.5.1
python3-lasso: before 2.8.2-150600.3.5.1
liblasso3: before 2.8.2-150600.3.5.1
liblasso-devel: before 2.8.2-150600.3.5.1
python3-lasso-debuginfo: before 2.8.2-150600.3.5.1
lasso-debuginfo: before 2.8.2-150600.3.5.1
CPE2.3- cpe:2.3:o:suse:server_applications_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:server_applications_module:15-SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:a:suse:liblasso3-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:lasso-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:python3-lasso:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:liblasso3:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:liblasso-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:python3-lasso-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:lasso-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2025/suse-su-20254068-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Type Confusion
EUVDB-ID: #VU118158
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-47151
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in the lasso_node_impl_init_from_xml functionality. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package lasso to the latest version.
Vulnerable software versionsServer Applications Module: 15-SP6 - 15-SP7
SUSE Package Hub 15: 15-SP6 - 15-SP7
SUSE Linux Enterprise Real Time 15: SP6 - SP7
SUSE Linux Enterprise Server for SAP Applications 15: SP6 - SP7
SUSE Linux Enterprise Server 15: SP6 - SP7
SUSE Linux Enterprise Desktop 15: SP6 - SP7
openSUSE Leap: 15.6
liblasso3-debuginfo: before 2.8.2-150600.3.5.1
lasso-debugsource: before 2.8.2-150600.3.5.1
python3-lasso: before 2.8.2-150600.3.5.1
liblasso3: before 2.8.2-150600.3.5.1
liblasso-devel: before 2.8.2-150600.3.5.1
python3-lasso-debuginfo: before 2.8.2-150600.3.5.1
lasso-debuginfo: before 2.8.2-150600.3.5.1
CPE2.3- cpe:2.3:o:suse:server_applications_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:server_applications_module:15-SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:a:suse:liblasso3-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:lasso-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:python3-lasso:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:liblasso3:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:liblasso-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:python3-lasso-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:lasso-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2025/suse-su-20254068-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
