Simon Holl
·
Published
2025-07-23
·
Updated
2025-07-31
·
CVE-2025-46811
10
Critical
| Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
SUSE Manager versions prior to 5.0.5.7.30.1-0.3.7-150600.3.6.2
SUSE Manager versions prior to 5.0.5.7.30.1-5.0.14-150600.4.17.1
SUSE Manager Server Module 4.3 versions prior to 0.3.7-150400.3.39.4
SUSE Manager Server Module 4.3 versions prior to 4.3.33-150400.3.55.2
SLES15-SP4-Manager-Server-4-3-BYOS versions prior to 4.3.33-150400.3.55.2
SLES15-SP4-Manager-Server-4-3-BYOS-Azure versions prior to 4.3.33-150400.3.55.2
SLES15-SP4-Manager-Server-4-3-BYOS-EC2 versions prior to 4.3.33-150400.3.55.2
SLES15-SP4-Manager-Server-4-3-BYOS-GCE versions prior to 4.3.33-150400.3.55.2
Description:
A Missing Authentication for Critical Function vulnerability exists in SUSE Manager. This allows anyone with access to the websocket at `/rhn/websocket/minion/remote-commands` to execute arbitrary commands as root.
Recommendations:
Update SUSE Manager to version 5.0.5.7.30.1-0.3.7-150600.3.6.2 or later.
Update SUSE Manager to version 5.0.5.7.30.1-5.0.14-150600.4.17.1 or later.
Update SUSE Manager Server Module 4.3 to version 0.3.7-150400.3.39.4 or later.
Update SUSE Manager Server Module 4.3 to version 4.3.33-150400.3.55.2 or later.
Update SLES15-SP4-Manager-Server-4-3-BYOS to version 4.3.33-150400.3.55.2 or later.
Update SLES15-SP4-Manager-Server-4-3-BYOS-Azure to version 4.3.33-150400.3.55.2 or later.
Update SLES15-SP4-Manager-Server-4-3-BYOS-EC2 to version 4.3.33-150400.3.55.2 or later.
Update SLES15-SP4-Manager-Server-4-3-BYOS-GCE to version 4.3.33-150400.3.55.2 or later.
Fix
RCE
Missing Authentication