SB20260422171 - SUSE update for Maintenance update for Multi-Linux Manager 4.3 Release Notes Release Notes
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-29371)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
2) Interpretation conflict (CVE-ID: CVE-2025-12816)
The vulnerability allows a remote attacker to bypass downstream cryptographic verification and security decisions.
The vulnerability exists due to incorrect validation of ASN.1 structures within the asn1.validate() function in forge/lib/asn1.js. A remote non-authenticated attacker can use specially crafted ASN.1 structures to desynchronize DER schema validations and bypass downstream cryptographic verification and security decisions.
3) Prototype pollution (CVE-ID: CVE-2025-13465)
The vulnerability allows a remote attacker to alter application's behavior.
The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.
4) Prototype pollution (CVE-ID: CVE-2025-61140)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
5) Code Injection (CVE-ID: CVE-2026-1615)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to unsafe evaluation of user-supplied JSON Path expressions. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
6) Inefficient regular expression complexity (CVE-ID: CVE-2026-25547)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. When a remote attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.
7) Improper input validation (CVE-ID: CVE-2026-27727)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Platform Security (Mchange Commons Java) component in Oracle Business Intelligence Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
8) Improper input validation (CVE-ID: CVE-2026-27830)
The vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the Platform Security (c3p0) component in Oracle Business Intelligence Enterprise Edition. A remote authenticated user can exploit this vulnerability to execute arbitrary code.
Remediation
Install update from vendor's website.