cvelistv5 - cve-2025-54799

CVE-2025-54799 (GCVE-0-2025-54799)

Vulnerability from cvelistv5

Published

2025-08-07 00:04

Modified

2025-08-07 14:07

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Summary

Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.

References

►

URL

	Vendor	Product	Version
	go-acme	lego	Version: < 4.25.2

fkie_cve-2025-54799

Vulnerability from fkie_nvd

Published

2025-08-07 01:15

Modified

2025-08-07 21:26

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96
	security-advisories@github.com	https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Let\u0027s Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don\u0027t enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2."
    },
    {
      "lang": "es",
      "value": "Cliente Let\u0027s Encrypt y librer\u00eda ACME escritos en Go (Lego). En las versiones 4.25.1 y anteriores, el paquete github.com/go-acme/lego/v4/acme/api (y, por lo tanto, la librer\u00eda lego y la CLI de lego) no exigen HTTPS al comunicarse con las CA como cliente ACME. A diferencia del desaf\u00edo http-01, que resuelve un desaf\u00edo ACME mediante HTTP sin cifrar, el protocolo ACME requiere HTTPS cuando un cliente se comunica con la CA para realizar funciones ACME. Sin embargo, la librer\u00eda no exige HTTPS ni en la URL de descubrimiento original (configurada por el usuario de la librer\u00eda) ni en las direcciones posteriores devueltas por las CA en los objetos de directorio y pedido. Si los usuarios introducen URL HTTP o las CA configuran incorrectamente los endpoints, las operaciones del protocolo se realizan mediante HTTP en lugar de HTTPS. Esto compromete la privacidad al exponer detalles de solicitud/respuesta, como los identificadores de cuenta y solicitud, a atacantes de red. Esto se solucion\u00f3 en la versi\u00f3n 4.25.2."
    }
  ],
  "id": "CVE-2025-54799",
  "lastModified": "2025-08-07T21:26:37.453",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-07T01:15:26.370",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

opensuse-su-2025:15434-1

Vulnerability from csaf_opensuse

Published

2025-08-12 00:00

Modified

2025-08-12 00:00

Summary

govulncheck-vulndb-0.0.20250811T192933-1.1 on GA media

Notes

Title of the patch

govulncheck-vulndb-0.0.20250811T192933-1.1 on GA media

Description of the patch

These are all security issues fixed in the govulncheck-vulndb-0.0.20250811T192933-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15434

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "govulncheck-vulndb-0.0.20250811T192933-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250811T192933-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15434",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15434-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-21411 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-21411/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-44779 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-44779/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-50738 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-50738/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-53534 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-53534/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-53942 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-53942/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54386 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54386/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54388 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54388/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54410 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54410/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54424 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54424/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54576 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54576/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54799 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54799/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54801 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54801/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54996 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54996/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54997 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54997/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54998 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54998/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-54999 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-54999/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-55000 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-55000/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-55001 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-55001/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-55003 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-55003/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-5999 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-5999/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6000 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6000/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6004 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6004/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6011 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6011/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6013 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6013/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6014 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6014/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6015 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6015/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6037 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6037/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-7195 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-7195/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-8341 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-8341/"
      }
    ],
    "title": "govulncheck-vulndb-0.0.20250811T192933-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-08-12T00:00:00Z",
      "generator": {
        "date": "2025-08-12T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15434-1",
      "initial_release_date": "2025-08-12T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-08-12T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
                  "product_id": "govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
                  "product_id": "govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
                  "product_id": "govulncheck-vulndb-0.0.20250811T192933-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64",
                  "product_id": "govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-21411",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-21411"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn\u0027t restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session\u0027s groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user\u0027s group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your applications regardless of `--gitlab-group` membership restrictions. This is patched in v7.1.0. There is no workaround for the Group membership bug. But `--gitlab-project` can be set to use Project membership as the authorization checks instead of groups; it is not broken.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-21411",
          "url": "https://www.suse.com/security/cve/CVE-2021-21411"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-21411"
    },
    {
      "cve": "CVE-2025-44779",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-44779"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-44779",
          "url": "https://www.suse.com/security/cve/CVE-2025-44779"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247810 for CVE-2025-44779",
          "url": "https://bugzilla.suse.com/1247810"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-44779"
    },
    {
      "cve": "CVE-2025-50738",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-50738"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user\u0027s IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-50738",
          "url": "https://www.suse.com/security/cve/CVE-2025-50738"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-50738"
    },
    {
      "cve": "CVE-2025-53534",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-53534"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel without logging in. In addition to this remote code execution (RCE) vulnerability, the flawed code also leads to unauthorized access. RatPanel uses the CleanPath middleware provided by github.com/go-chi/chi package to clean URLs, but but the middleware does not process r.URL.Path, which can cause the paths to be misinterpreted. This is fixed in version 2.5.6.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-53534",
          "url": "https://www.suse.com/security/cve/CVE-2025-53534"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "not set"
        }
      ],
      "title": "CVE-2025-53534"
    },
    {
      "cve": "CVE-2025-53942",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-53942"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context[\"pending_user\"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-53942",
          "url": "https://www.suse.com/security/cve/CVE-2025-53942"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "not set"
        }
      ],
      "title": "CVE-2025-53942"
    },
    {
      "cve": "CVE-2025-54386",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54386"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik\u0027s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54386",
          "url": "https://www.suse.com/security/cve/CVE-2025-54386"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247524 for CVE-2025-54386",
          "url": "https://bugzilla.suse.com/1247524"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54386"
    },
    {
      "cve": "CVE-2025-54388",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54388"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54388",
          "url": "https://www.suse.com/security/cve/CVE-2025-54388"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247367 for CVE-2025-54388",
          "url": "https://bugzilla.suse.com/1247367"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54388"
    },
    {
      "cve": "CVE-2025-54410",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54410"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected.\nWorkarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54410",
          "url": "https://www.suse.com/security/cve/CVE-2025-54410"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247392 for CVE-2025-54410",
          "url": "https://bugzilla.suse.com/1247392"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54410"
    },
    {
      "cve": "CVE-2025-54424",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54424"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54424",
          "url": "https://www.suse.com/security/cve/CVE-2025-54424"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-54424"
    },
    {
      "cve": "CVE-2025-54576",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54576"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes configuration option with regex patterns. Attackers can bypass authentication by crafting URLs with query parameters that satisfy configured regex patterns, allowing unauthorized access to protected resources. The issue stems from skip_auth_routes matching against the full request URI. Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk. This issue is fixed in version 7.11.0. Workarounds include: auditing all skip_auth_routes configurations for overly permissive patterns, replacing wildcard patterns with exact path matches where possible, ensuring regex patterns are properly anchored (starting with ^ and ending with $), or implementing custom validation that strips query parameters before regex matching.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54576",
          "url": "https://www.suse.com/security/cve/CVE-2025-54576"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-54576"
    },
    {
      "cve": "CVE-2025-54799",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54799"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Let\u0027s Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don\u0027t enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54799",
          "url": "https://www.suse.com/security/cve/CVE-2025-54799"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247743 for CVE-2025-54799",
          "url": "https://bugzilla.suse.com/1247743"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54799"
    },
    {
      "cve": "CVE-2025-54801",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54801"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber\u0027s Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54801",
          "url": "https://www.suse.com/security/cve/CVE-2025-54801"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "not set"
        }
      ],
      "title": "CVE-2025-54801"
    },
    {
      "cve": "CVE-2025-54996",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54996"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54996",
          "url": "https://www.suse.com/security/cve/CVE-2025-54996"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247888 for CVE-2025-54996",
          "url": "https://bugzilla.suse.com/1247888"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-54996"
    },
    {
      "cve": "CVE-2025-54997",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54997"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54997",
          "url": "https://www.suse.com/security/cve/CVE-2025-54997"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247889 for CVE-2025-54997",
          "url": "https://bugzilla.suse.com/1247889"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-54997"
    },
    {
      "cve": "CVE-2025-54998",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54998"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54998",
          "url": "https://www.suse.com/security/cve/CVE-2025-54998"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247890 for CVE-2025-54998",
          "url": "https://bugzilla.suse.com/1247890"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-54998"
    },
    {
      "cve": "CVE-2025-54999",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-54999"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao\u0027s userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-54999",
          "url": "https://www.suse.com/security/cve/CVE-2025-54999"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247891 for CVE-2025-54999",
          "url": "https://bugzilla.suse.com/1247891"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-54999"
    },
    {
      "cve": "CVE-2025-55000",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-55000"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao\u0027s TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-55000",
          "url": "https://www.suse.com/security/cve/CVE-2025-55000"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247892 for CVE-2025-55000",
          "url": "https://bugzilla.suse.com/1247892"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-55000"
    },
    {
      "cve": "CVE-2025-55001",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-55001"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-55001",
          "url": "https://www.suse.com/security/cve/CVE-2025-55001"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247893 for CVE-2025-55001",
          "url": "https://bugzilla.suse.com/1247893"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-55001"
    },
    {
      "cve": "CVE-2025-55003",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-55003"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao\u0027s Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker\u0027s ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-55003",
          "url": "https://www.suse.com/security/cve/CVE-2025-55003"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247894 for CVE-2025-55003",
          "url": "https://bugzilla.suse.com/1247894"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-55003"
    },
    {
      "cve": "CVE-2025-5999",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-5999"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A privileged Vault operator with write permissions to the root namespace\u0027s identity endpoint could escalate their own or another user\u0027s token privileges to Vault\u0027s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-5999",
          "url": "https://www.suse.com/security/cve/CVE-2025-5999"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-5999"
    },
    {
      "cve": "CVE-2025-6000",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6000"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault\u0027s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6000",
          "url": "https://www.suse.com/security/cve/CVE-2025-6000"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247546 for CVE-2025-6000",
          "url": "https://bugzilla.suse.com/1247546"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6000"
    },
    {
      "cve": "CVE-2025-6004",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6004"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vault and Vault Enterprise\u0027s (\"Vault\") user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6004",
          "url": "https://www.suse.com/security/cve/CVE-2025-6004"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-6004"
    },
    {
      "cve": "CVE-2025-6011",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6011"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A timing side channel in Vault and Vault Enterprise\u0027s (\"Vault\") userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault\u0027s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6011",
          "url": "https://www.suse.com/security/cve/CVE-2025-6011"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-6011"
    },
    {
      "cve": "CVE-2025-6013",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6013"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vault and Vault Enterprise\u0027s (\"Vault\") ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6013",
          "url": "https://www.suse.com/security/cve/CVE-2025-6013"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247698 for CVE-2025-6013",
          "url": "https://bugzilla.suse.com/1247698"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-6013"
    },
    {
      "cve": "CVE-2025-6014",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6014"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vault and Vault Enterprise\u0027s (\"Vault\") TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6014",
          "url": "https://www.suse.com/security/cve/CVE-2025-6014"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-6014"
    },
    {
      "cve": "CVE-2025-6015",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6015"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vault and Vault Enterprise\u0027s (\"Vault\") login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6015",
          "url": "https://www.suse.com/security/cve/CVE-2025-6015"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-6015"
    },
    {
      "cve": "CVE-2025-6037",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6037"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vault and Vault Enterprise (\"Vault\") TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6037",
          "url": "https://www.suse.com/security/cve/CVE-2025-6037"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-6037"
    },
    {
      "cve": "CVE-2025-7195",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-7195"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. \n\nIn affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-7195",
          "url": "https://www.suse.com/security/cve/CVE-2025-7195"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-7195"
    },
    {
      "cve": "CVE-2025-8341",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-8341"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints.\n\n\nIf the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-8341",
          "url": "https://www.suse.com/security/cve/CVE-2025-8341"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-12T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-8341"
    }
  ]
}

ghsa-q82r-2j7m-9rv4

Vulnerability from github

Published

2025-08-06 17:08

Modified

2025-08-07 15:11

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Summary

github.com/go-acme/lego/v4/acme/api does not enforce HTTPS

Details

Summary

It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.

Details

Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1

Each ACME function is accomplished by the client sending a sequence of HTTPS requests to the server [RFC2818], carrying JSON messages [RFC8259]. Use of HTTPS is REQUIRED. Each subsection of Section 7 below describes the message formats used by the function and the order in which messages are sent.

However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.

If the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.

Reproducing

This is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.

Please note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.

```go package api import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "fmt" "net/http" "strings" "testing" "time" "github.com/go-acme/lego/v4/acme" ) const letsEncryptURLHTTP = "http://acme-v02.api.letsencrypt.org/directory" const letsEncryptURLHTTPS = "https://acme-v02.api.letsencrypt.org/directory" func changeToHTTP(url *string) { if strings.HasPrefix(*url, "https:") { *url = "http" + (*url)[len("https"):] } } func changeToHTTPS(url *string) { if strings.HasPrefix(*url, "http:") { *url = "https" + (*url)[len("http"):] } } func TestHTTPURLs(t *testing.T) { privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { t.Fatalf("error generating a private key: %v", err) } func() { t.Log("testing that Discover enforces https") _, err := New(&http.Client{ Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport}, Timeout: 20 * time.Second, }, "", letsEncryptURLHTTP, "", privateKey) if err != nil { t.Errorf("New error: %v", err) } }() core, err := New(&http.Client{ Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport}, Timeout: 20 * time.Second, }, "", letsEncryptURLHTTPS, "", privateKey) if err != nil { t.Fatalf("New error: %v", err) } func() { t.Log("testing that account creation enforces https") // Simulate a misconfigured CA that gives out HTTP directory URLs and when // we're done change it back to HTTPS to test the rest. changeToHTTP(&core.directory.NewAccountURL) defer changeToHTTPS(&core.directory.NewAccountURL) _, err := core.Accounts.New(acme.Account{ TermsOfServiceAgreed: true, Contact: []string{}, }) if err != nil { t.Errorf("core.Accounts.New error: %v", err) } }() _, err = core.Accounts.New(acme.Account{ TermsOfServiceAgreed: true, Contact: []string{}, }) if err != nil { t.Fatalf("core.Accounts.New error: %v", err) } } type httpsOnlyRoundTripper struct { inner http.RoundTripper } func (r *httpsOnlyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { if req.URL.Scheme != "https" { return nil, fmt.Errorf("non-https request is being sent") } return r.inner.RoundTrip(req) } ```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-acme/lego"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-acme/lego/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.25.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-acme/lego/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.25.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-06T17:08:52Z",
    "nvd_published_at": "2025-08-07T01:15:26Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nIt was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don\u0027t enforce HTTPS when talking to CAs as an ACME client.\n\n## Details\n\nUnlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: [https://datatracker.ietf.org/doc/html/rfc8555#section-6.1](https://datatracker.ietf.org/doc/html/rfc8555#section-6.1)\n\n\u003e Each ACME function is accomplished by the client sending a sequence\n\u003e of HTTPS requests to the server [[RFC2818](https://datatracker.ietf.org/doc/html/rfc2818)], carrying JSON messages\n\u003e [[RFC8259](https://datatracker.ietf.org/doc/html/rfc8259)].  Use of HTTPS is REQUIRED.  Each subsection of [Section 7](https://datatracker.ietf.org/doc/html/rfc8555#section-7)\n\u003e below describes the message formats used by the function and the\n\u003e order in which messages are sent.\n\nHowever, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.\n\nIf the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.\n\n## Reproducing\n\nThis is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.\n\nPlease note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.\n\n\u003cdetails\u003e\n\n```go\npackage api\n\nimport (\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/go-acme/lego/v4/acme\"\n)\n\nconst letsEncryptURLHTTP = \"http://acme-v02.api.letsencrypt.org/directory\"\nconst letsEncryptURLHTTPS = \"https://acme-v02.api.letsencrypt.org/directory\"\n\nfunc changeToHTTP(url *string) {\n\tif strings.HasPrefix(*url, \"https:\") {\n\t\t*url = \"http\" + (*url)[len(\"https\"):]\n\t}\n}\n\nfunc changeToHTTPS(url *string) {\n\tif strings.HasPrefix(*url, \"http:\") {\n\t\t*url = \"https\" + (*url)[len(\"http\"):]\n\t}\n}\n\nfunc TestHTTPURLs(t *testing.T) {\n\tprivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\tt.Fatalf(\"error generating a private key: %v\", err)\n\t}\n\n\tfunc() {\n\t\tt.Log(\"testing that Discover enforces https\")\n\t\t_, err := New(\u0026http.Client{\n\t\t\tTransport: \u0026httpsOnlyRoundTripper{inner: http.DefaultTransport},\n\t\t\tTimeout:   20 * time.Second,\n\t\t}, \"\", letsEncryptURLHTTP, \"\", privateKey)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"New error: %v\", err)\n\t\t}\n\t}()\n\n\tcore, err := New(\u0026http.Client{\n\t\tTransport: \u0026httpsOnlyRoundTripper{inner: http.DefaultTransport},\n\t\tTimeout:   20 * time.Second,\n\t}, \"\", letsEncryptURLHTTPS, \"\", privateKey)\n\tif err != nil {\n\t\tt.Fatalf(\"New error: %v\", err)\n\t}\n\n\tfunc() {\n\t\tt.Log(\"testing that account creation enforces https\")\n\n\t\t// Simulate a misconfigured CA that gives out HTTP directory URLs and when\n\t\t// we\u0027re done change it back to HTTPS to test the rest.\n\t\tchangeToHTTP(\u0026core.directory.NewAccountURL)\n\t\tdefer changeToHTTPS(\u0026core.directory.NewAccountURL)\n\n\t\t_, err := core.Accounts.New(acme.Account{\n\t\t\tTermsOfServiceAgreed: true,\n\t\t\tContact:              []string{},\n\t\t})\n\t\tif err != nil {\n\t\t\tt.Errorf(\"core.Accounts.New error: %v\", err)\n\t\t}\n\t}()\n\n\t_, err = core.Accounts.New(acme.Account{\n\t\tTermsOfServiceAgreed: true,\n\t\tContact:              []string{},\n\t})\n\tif err != nil {\n\t\tt.Fatalf(\"core.Accounts.New error: %v\", err)\n\t}\n}\n\ntype httpsOnlyRoundTripper struct {\n\tinner http.RoundTripper\n}\n\nfunc (r *httpsOnlyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {\n\tif req.URL.Scheme != \"https\" {\n\t\treturn nil, fmt.Errorf(\"non-https request is being sent\")\n\t}\n\treturn r.inner.RoundTrip(req)\n}\n```\n\n\u003c/details\u003e\n\n_",
  "id": "GHSA-q82r-2j7m-9rv4",
  "modified": "2025-08-07T15:11:32Z",
  "published": "2025-08-06T17:08:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-acme/lego"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "github.com/go-acme/lego/v4/acme/api does not enforce HTTPS"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-54799 (GCVE-0-2025-54799)

Vulnerability from cvelistv5

fkie_cve-2025-54799

Vulnerability from fkie_nvd

opensuse-su-2025:15434-1

Vulnerability from csaf_opensuse

ghsa-q82r-2j7m-9rv4

Vulnerability from github

Summary

Details

Reproducing

Tags

Sightings

Nomenclature