CVE-2023-22644

Name of the Vulnerable Software and Affected Versions SUSE Manager Server Module 4.2 versions prior to 4.2.50-150300.3.66.5 SUSE Manager Server Module 4.3 versions prior to 4.3.58-150400.3.46.4 NeuVector (affected versions not specified)

Description A user can reverse engineer the JSON Web Token (JWT) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector, potentially leading to Remote Code Execution (RCE). Additionally, an Innsertion of Sensitive Information into Log File vulnerability in SUSE SUSE Manager Server Module causes sensitive information to be logged.

Recommendations For SUSE Manager Server Module 4.2 versions prior to 4.2.50-150300.3.66.5, update to version 4.2.50-150300.3.66.5 or later. For SUSE Manager Server Module 4.3 versions prior to 4.3.58-150400.3.46.4, update to version 4.3.58-150400.3.46.4 or later. For NeuVector, as a temporary workaround, consider restricting access to the authentication mechanism using JWT tokens until a patch is available. Avoid using the JWT token in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability in NeuVector.