SUSE update for SUSE Manager Salt Bundle

Published: 2024-05-06

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-22231 CVE-2024-22232
CWE-ID	CWE-22
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	SUSE Manager Client Tools for Debian Operating systems & Components / Operating system venv-salt-minion Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU86611

Risk: Low

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22231

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to create arbitrary directories.

The vulnerability exists due to input validation error when processing directory traversal sequences during Syndic cache directory creation. A remote user can create arbitrary directories on the Salt master.

Mitigation

Update the affected package SUSE Manager Salt Bundle to the latest version.

Vulnerable software versions

SUSE Manager Client Tools for Debian: 11

venv-salt-minion: before 3006.0-2.50.4

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20241521-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Path traversal

EUVDB-ID: #VU86612

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22232