SB2026060464 - SUSE update for Maintenance update for Multi-Linux Manager 4.3 Release Notes Release Notes
Published: June 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2022-21698)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within method label cardinality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
2) Improper Authorization (CVE-ID: CVE-2026-21724)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify protected webhook URLs.
The vulnerability exists due to improper access control in the Provisioning Contact Points API when handling API requests. A remote user can send a specially crafted request to modify protected webhook URLs.
Successful exploitation allows modification of protected contact points without the required alert.notifications.receivers.protected:write permission.
3) Path traversal (CVE-ID: CVE-2026-27606)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the Rollup module bundler. A remote attacker can send a specially crafted HTTP request and write arbitrary files on the system, leading to arbitrary code execution.
4) Improper input validation (CVE-ID: CVE-2026-27876)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation in SQL Expressions feature when processing user-supplied queries. A remote privileged user can send a specially crafted request to execute arbitrary code.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
5) Information disclosure (CVE-ID: CVE-2026-27877)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in public dashboards when handling direct mode data sources. A remote user can access publicly shared dashboards to disclose sensitive information.
Authentication is required to create or access public dashboards; only direct mode data sources are affected.
6) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-27879)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in query resampling when processing crafted resample queries. A remote user can send a specially crafted request to cause a denial of service.
7) Improper input validation (CVE-ID: CVE-2026-28375)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in the testdata datasource when processing user-supplied queries. A remote user can send a specially crafted request to cause a denial of service.
8) Resource exhaustion (CVE-ID: CVE-2026-31958)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in multipart/form-data parsing on the main thread when processing very large multipart request bodies with many parts. A remote attacker can send a specially crafted multipart/form-data request to cause a denial of service.
The number of multipart parts is limited only by the max_body_size setting.
9) Improper Authorization (CVE-ID: CVE-2026-33186)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain access to bypass authorization.
The vulnerability exists due to authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server to bypass authorization.
10) Improper input validation (CVE-ID: CVE-2026-33375)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper access control in the MSSQL data source plugin when processing user queries. A remote user can send a specially crafted request to cause a denial of service.
Authentication as a low-privileged user (Viewer) is required to exploit this vulnerability.
11) Improper input validation (CVE-ID: CVE-2026-34986)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in JWE decryption in key_wrap.go when processing a JWE object with a key wrapping algorithm and an empty encrypted_key field. A remote attacker can send a specially crafted JWE object to cause a denial of service.
The issue is reachable through ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact() followed by Decrypt(), and applications are affected only if accepted key algorithms include key wrapping algorithms.
12) Stored cross-site scripting (CVE-ID: CVE-2026-40179)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the Prometheus web UI tooltip and metrics explorer components when rendering crafted metric names or label values. A remote user can inject crafted metrics through a compromised scrape target, remote write, or the OTLP receiver endpoint to execute arbitrary script in the victim's browser.
User interaction is required to view the affected metric in the Graph UI, such as hovering over a chart tooltip, opening the Metric Explorer, or hovering over a heatmap cell.
13) Information disclosure (CVE-ID: CVE-2026-42151)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the /-/config HTTP API endpoint when serving the Azure AD remote write OAuth configuration. A remote attacker can access the endpoint to disclose sensitive information.
Only deployments using Azure AD remote write with OAuth authentication are affected.
14) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-42154)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in the remote read endpoint (/api/v1/read) when processing snappy-compressed request bodies. A remote attacker can send a specially crafted request body to cause a denial of service.
Concurrent exploitation can exhaust available memory and crash the Prometheus process.
Remediation
Install update from vendor's website.