Main Vulnerability Database SB2025112453

SB2025112453 - SUSE update for Security update 5.1.1 for Multi-Linux Manager Client Tools

Published: November 24, 2025

Security Bulletin ID SB2025112453

Severity

Medium

Patch available

YES

Number of vulnerabilities 4

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2025-3415)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Grafana Alerting DingDing integration is not properly protected. A remote user can gain unauthorized access to sensitive information on the system.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-47908)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to middleware causing a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. A remote attacker can produce undue load on the middleware/server as an attempt to cause a denial of service.

3) Open redirect (CVE-ID: CVE-2025-6023)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

4) Open redirect (CVE-ID: CVE-2025-6197)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in switching functionality. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2025/suse-su-20253817-1/

Vulnerable Software

SUSE Multi-Linux Manager Client Tools for SLE: 12
python2-spacewalk-client-tools: before 5.1.7-120002.3.3.2
mgr-push: before 5.1.4-120002.3.3.3
python2-rhnlib: before 5.1.3-120002.3.3.1
supportutils-plugin-susemanager-client: before 5.1.4-120002.3.3.1
spacecmd: before 5.1.11-120002.3.3.2
python-defusedxml: before 0.6.0-120002.1.3.1
python2-mgr-push: before 5.1.4-120002.3.3.3
spacewalk-client-tools: before 5.1.7-120002.3.3.2
grafana: before 11.5.7-120002.4.3.2
Multi-Linux-ManagerTools-SLE-release-POOL: before 12-120002.1.3.2
golang-github-prometheus-alertmanager: before 0.28.1-120002.4.3.2
Multi-Linux-ManagerTools-SLE-release: before 12-120002.1.3.2
golang-github-prometheus-alertmanager-debuginfo: before 0.28.1-120002.4.3.2
grafana-debuginfo: before 11.5.7-120002.4.3.2