CVE-2025-71261

Name of the Vulnerable Software and Affected Versions SUSE Virtualization versions prior to 1.8.0

Description A security gap exists in the SUSE Virtualization Rancher integration mechanism where the registration client uses an insecure TLS option that fails to verify the remote server's certificate. An attacker with network-level access between SUSE Virtualization and Rancher Manager could interfere with the TLS handshake to bypass TLS security controls, potentially misleading the registration client into sending requests to an impersonated service via a man-in-the-middle attack. Furthermore, the system processes response payloads without size validation, which could allow an attacker to induce a memory buffer overflow, leading to a crash of the registration controller. This issue specifically affects the cluster-registration-url setting.

Recommendations Update to version 1.8.0 or newer. As a temporary workaround, ensure that only authorized cluster administrators can access and modify the cluster-registration-url setting.