release-notes-susemanager (SUSE:Manager Server 4.3) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Manager Server 4.3 package release-notes-susemanager, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (49)
CVE-2024-9264 — CVSS 9.9 (critical): The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are…
CVE-2021-41411 — CVSS 9.8 (critical): drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used…
CVE-2021-42740 — CVSS 9.8 (critical): The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a…
CVE-2024-47533 — CVSS 9.8 (critical): Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication…
CVE-2025-46811 — CVSS 9.8 (critical): A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able…
CVE-2024-38824 — CVSS 9.6 (critical): Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
CVE-2024-45337 — CVSS 9.1 (critical): Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be…
CVE-2025-22239 — CVSS 8.1 (high): Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events…
CVE-2022-1415 — CVSS 8.1 (high): A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an…
CVE-2025-22236 — CVSS 8.1 (high): Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on…
CVE-2021-43138 — CVSS 7.8 (high): In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js…
CVE-2024-22232 — CVSS 7.7 (high): A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary…
CVE-2025-4123 — CVSS 7.6 (high): A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows…
CVE-2022-31129 — CVSS 7.5 (high): moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to…
CVE-2023-45288 — CVSS 7.5 (high): An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames…
CVE-2024-45339 — CVSS 7.1 (high): When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file…
CVE-2025-2703 — CVSS 6.8 (medium): The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in…
CVE-2023-34049 — CVSS 6.7 (medium): The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run…
CVE-2025-22237 — CVSS 6.7 (medium): An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause…
CVE-2025-27144: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web…
CVE-2023-51775 — CVSS 6.5 (medium): The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2…
CVE-2025-22872 — CVSS 6.5 (medium): The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When…
CVE-2024-38825 — CVSS 6.4 (medium): The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated…
CVE-2025-22240 — CVSS 6.3 (medium): Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using…
CVE-2022-46146 — CVSS 6.2 (medium): Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a…
CVE-2023-32189 — CVSS 5.9 (medium): Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys
CVE-2025-46809 — CVSS 5.7 (medium): A Plaintext Storage of a Password vulnerability in SUSE exposes the credentials for the HTTP proxy in the log files. This issue affects…
CVE-2025-22242 — CVSS 5.6 (medium): Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed…
CVE-2025-22241 — CVSS 5.6 (medium): File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create…
CVE-2024-47535 — CVSS 5.5 (medium): Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers…
CVE-2023-22644 — CVSS 5.5 (medium): A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector…
CVE-2025-3580 — CVSS 5.5 (medium): An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server…
CVE-2023-20897 — CVSS 5.3 (medium): Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to…
CVE-2023-29409 — CVSS 5.3 (medium): Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the…
CVE-2025-23392 — CVSS 5.2 (medium): A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of…
CVE-2025-23393 — CVSS 5.2 (medium): A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of…
CVE-2024-9476: A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other…
CVE-2024-22231 — CVSS 5.0 (medium): Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create…
CVE-2025-3454 — CVSS 5.0 (medium): This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the…
CVE-2025-22870 — CVSS 4.4 (medium): Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY…
CVE-2024-11741 — CVSS 4.3 (medium): Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected…
CVE-2025-22238 — CVSS 4.2 (medium): Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which…
CVE-2023-20898 — CVSS 4.2 (medium): Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or…
CVE-2024-49502 — CVSS 3.5 (low): A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in the Setup Wizard, HTTP Proxy…
CVE-2024-49503 — CVSS 3.5 (low): A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SUSE manager allows…
CVE-2024-51744 — CVSS 3.1 (low): golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to…
CVE-2024-38823 — CVSS 2.7 (low): Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport.
CVE-2024-38822 — CVSS 2.7 (low): Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion.