Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SUSE | Multi-Linux Manager Client Tools |
Timeline
- Mar 30, 2026 CVE Published
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.3135 Security Beta update 5.2.0 Beta1 for Multi-Linux Manager Client Tools 31 March 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Multi-Linux Manager Client Tools Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2025-67724 CVE-2025-67725 CVE-2025-67726 CVE-2026-27606 CVE-2025-62348 CVE-2025-62349 CVE-2026-1615 CVE-2026-25547 CVE-2025-3415 CVE-2025-61140 CVE-2026-21722 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-20261148-1 Comment: CVSS (Max): 9.8 CVE-2026-1615 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS (Max): 0.3% (55th) CVE-2025-3415 2026-03-30 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Beta update 5.2.0 Beta1 for Multi-Linux Manager Client Tools Announcement ID: SUSE-SU-2026:1148-1 Release Date: 2026-03-30T11:21:21Z Rating: critical o bsc#1254256 o bsc#1254257 o bsc#1254903 o bsc#1254904 o bsc#1254905 o bsc#1257442 o bsc#1257447 References: o bsc#1257841 o bsc#1257897 o bsc#1258015 o bsc#1258136 o bsc#1258893 o bsc#1258957 o jsc#MSQA-1044 o jsc#PED-15474 o CVE-2025-3415 o CVE-2025-61140 o CVE-2025-62348 o CVE-2025-62349 o CVE-2025-67724 Cross-References: o CVE-2025-67725 o CVE-2025-67726 o CVE-2026-1615 o CVE-2026-21722 o CVE-2026-25547 o CVE-2026-27606 o CVE-2025-3415 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/ UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N o CVE-2025-3415 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:U/C:L/I:N/A:N o CVE-2025-3415 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:U/C:L/I:N/A:N o CVE-2025-61140 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N /UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N o CVE-2025-61140 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N /S:U/C:H/I:H/A:H o CVE-2025-61140 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:H/A:H o CVE-2025-62348 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L /UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N o CVE-2025-62348 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N /S:U/C:H/I:H/A:H o CVE-2025-62348 ( NVD ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/ UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2025-62348 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/ S:U/C:H/I:H/A:H o CVE-2025-62349 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H /UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N o CVE-2025-62349 ( SUSE ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N /S:U/C:H/I:H/A:L o CVE-2025-62349 ( NVD ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/ UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2025-62349 ( NVD ): 6.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/ S:U/C:H/I:H/A:L o CVE-2025-67724 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N o CVE-2025-67724 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R /S:U/C:L/I:L/A:N o CVE-2025-67724 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:C/C:L/I:L/A:N o CVE-2025-67724 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/ S:U/C:L/I:L/A:N o CVE-2025-67725 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2025-67725 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H CVSS scores: o CVE-2025-67725 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H o CVE-2025-67726 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2025-67726 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H o CVE-2025-67726 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H o CVE-2026-1615 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/ UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-1615 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:H/A:H o CVE-2026-1615 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/ UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-1615 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:H/A:H o CVE-2026-21722 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N o CVE-2026-21722 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:L/I:N/A:N o CVE-2026-21722 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:L/I:N/A:N o CVE-2026-25547 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N o CVE-2026-25547 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:U/C:N/I:N/A:H o CVE-2026-25547 ( NVD ): 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/ UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-27606 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N o CVE-2026-27606 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R /S:U/C:H/I:H/A:H o CVE-2026-27606 ( NVD ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/ UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2026-27606 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:H/A:H Affected o SUSE Multi-Linux Manager Beta Client Tools for SLE 15 Products: o SUSE Multi-Linux Manager Beta Client Tools for SLE Micro 5 An update that solves 11 vulnerabilities, contains two features and has two security fixes can now be installed. Description: This update fixes the following issues: golang-github-prometheus-prometheus: o CVE-2026-27606: Fix arbitrary file write via path traversal in rollup (bsc# 1258893) o Bump rollup to version 4.59.0 o Drop SLE 12 support (jsc#PED-15474) o CVE-2026-25547: Fix unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841): o Bump brace-expansion to version 5.0.2 o Do not build old web UI. Fixes following security vulnerabilities: o CVE-2026-1615: jsonpath: arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions (bsc#1257897) o CVE-2025-61140: jsonpath: the value function is vulnerable to prototype pollution (bsc#1257442) o Set source URL in the spec file and drop tar service grafana: o Drop support for SLE 12 (jsc#PED-15474) o Update to version 11.6.11: Features and enhancements: o Alerting: Add limits for the size of expanded notification templates o Correlations: Remove support for org_id=0 Security: o CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) o Update to version 11.6.10: o API: Add missing scope check on dashboards o Avatar: Require sign-in, remove queue, respect timeout Bug fixes: o Alerting: Fix a race condition panic in ResetStateByRuleUID o Update to version 11.6.9: o Plugins: Add PluginContext to plugins when scenes is disabled o Alerting: Fix contacts point issues o Update to version 11.6.8: o Alerting: Fix unmarshalling of GettableStatus to include time intervals o Update to version 11.6.7: o Auth: Fix render user OAuth passthrough o LDAP Authentication: Fix URL to propagate username context as parameter o Plugins: Dependencies do not inherit parent URL for preinstall o URLParams: Stringify true values as key=true always (fixes issues with variables with true value) o Update to version 11.6.6: o Alerting: Fix copying of recording rule fields o Fix redirection after login when Grafana is served from subpath o Update to version 11.6.5: o Alerting: Bump alerting package to include change to NewTLSClient o Update to version 11.6.4: o StateTimeline: Add endTime to tooltip o Unified storage: Respect GF_DATABASE_URL override o Alerting: Fix group interval override when adding new rules o Azure: Fix legend formatting o Azure: Fix resource name determination in template variable queries o Graphite: Fix annotation queries o Graphite: Fix date mutation o Graphite: Fix nested variable interpolation for repeated rows o Update to version 11.6.3: o Fixes CVE-2025-3415 o Update to version 11.6.2: o Dashboard: Fixes issue with row repeats and first row o Graphite: Ensure template variables are interpolated correctly o Graphite: Fix Graphite series interpolation o Prometheus: Fix semver import path o Update to version 11.6.1: o DashboardScenePage: Correct slug in self referencing data links o GrafanaUI: Use safePolygon close handler for interactive tooltips instead of a delay o Prometheus: Add support for cloud partners Prometheus data sources o Alertmanager: Add Role-Based Access Control via reqAction Field o GrafanaUI: Remove blurred background from overlay backdrops to improve performance o InfluxDB: Fix nested variable interpolation o LDAP test: Fix page crash o Org redirection: Fix linking between orgs o Upgrade to version 11.6.0: o Visualisations: One click links and actions o Annotations: Add cron syntax support o WebGL-powered geomaps for better performance o Alerting: Add alert rule version history o API keys: Migrate API keys to service accounts at startup mgr-push: o Version 5.2.3-0 o Disable build for SLES 16 rhnlib: o Version 5.2.4-0 o Disable build for SLES 16 spacecmd: o Version 5.2.6-0 o Update translation strings spacewalk-client-tools: o Version 5.2.4-0 o Disable build for SLES 16 uyuni-common-libs: o Version 5.2.3-0 o Disable build for SLES 16 uyuni-tools: o Version 5.2.5-0 o Remove migrate command o Remove template script from mgradm: use the one in the image o Split the TFTP server into a separate container o Explicitly start proxy pods after operations (bsc#1258015) o Adjust mgrctl server filter to work with the new helm chart labels o Remove hub register command o Remove the Kubernetes install and upgrade from mgrpxy o Optimize postgres migration disk space usage (bsc#1257447) venv-salt-minion: o Fix the issue preventing SELinux profile to be loaded on SLES 16 deployed using cloud images (bsc#1258957) o Fix the typo causing buiding EL9 bundle without binary dependencies o Backport security patches for Salt vendored tornado: o CVE-2025-67724: missing validation of supplied reason phrase (bsc#1254903) o CVE-2025-67725: fix DoS via malicious HTTP request (bsc#1254905) o CVE-2025-67726: fix HTTP header parameter parsing algorithm (bsc#1254904) o CVE-2025-62349: Add minimum_auth_version to enforce security (bsc#1254257) o CVE-2025-62348: Junos module yaml loader fix (bsc#1254256) Multi-Linux-ManagerTools-Beta-SLE-Micro-release: - Make the product installable on all SLE Micro 5 family Special Instructions and Notes: Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Multi-Linux Manager Beta Client Tools for SLE 15 zypper in -t patch SUSE-MultiLinuxManagerTools-Beta-SLE-15-2026-1148=1 o SUSE Multi-Linux Manager Beta Client Tools for SLE Micro 5 zypper in -t patch SUSE-MultiLinuxManagerTools-Beta-SLE-Micro-5-2026-1148=1 Package List: o SUSE Multi-Linux Manager Beta Client Tools for SLE 15 (noarch) dracut-saltboot-1.1.0-159000.2.2.1 spacecmd-5.2.6-159000.4.3.1 mgr-push-5.2.3-159000.2.3.1 spacewalk-client-tools-5.2.4-159000.4.3.1 mgrctl-lang-5.2.5-159000.2.3.2 python3-defusedxml-0.7.1-159000.4.2.1 supportutils-plugin-salt-1.2.3-159000.4.2.1 python3-spacewalk-client-tools-5.2.4-159000.4.3.1 supportutils-plugin-susemanager-client-5.2.2-159000.4.2.1 python3-mgr-push-5.2.3-159000.2.3.1 python3-rhnlib-5.2.4-159000.4.3.1 mgrctl-bash-completion-5.2.5-159000.2.3.2 mgrctl-zsh-completion-5.2.5-159000.2.3.2 dracut-wireless-0.1.1595937550.0285244-159000.2.2.1 o SUSE Multi-Linux Manager Beta Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64) golang-github-prometheus-alertmanager-debuginfo-0.28.1-159000.12.2.1 prometheus-blackbox_exporter-0.26.0-159000.2.2.1 mgrctl-debuginfo-5.2.5-159000.2.3.2 grafana-debuginfo-11.6.11-159000.2.3.2 python3-uyuni-common-libs-5.2.3-159000.2.3.1 prometheus-postgres_exporter-0.10.1-159000.2.2.1 golang-github-prometheus-node_exporter-1.9.1-159000.4.2.1 golang-github-lusitaniae-apache_exporter-1.0.10-159000.2.2.1 golang-github-prometheus-alertmanager-0.28.1-159000.12.2.1 golang-github-QubitProducts-exporter_exporter-0.4.0-159000.2.2.1 golang-github-prometheus-node_exporter-debuginfo-1.9.1-159000.4.2.1 golang-github-boynux-squid_exporter-1.13.0-159000.2.2.1 golang-github-prometheus-prometheus-debuginfo-3.5.0-159000.4.3.2 golang-github-lusitaniae-apache_exporter-debuginfo-1.0.10-159000.2.2.1 mgrctl-5.2.5-159000.2.3.2 grafana-11.6.11-159000.2.3.2 venv-salt-minion-3006.0-159000.5.3.2 golang-github-boynux-squid_exporter-debuginfo-1.13.0-159000.2.2.1 prometheus-postgres_exporter-debuginfo-0.10.1-159000.2.2.1 firewalld-prometheus-config-0.1-159000.4.3.2 golang-github-prometheus-prometheus-3.5.0-159000.4.3.2 o SUSE Multi-Linux Manager Beta Client Tools for SLE Micro 5 (aarch64 ppc64le s390x x86_64) Multi-Linux-ManagerTools-Beta-SLE-Micro-release-5-159000.3.3.1 mgrctl-debuginfo-5.2.5-159000.2.3.2 golang-github-prometheus-node_exporter-debuginfo-1.9.1-159000.4.2.1 venv-salt-minion-3006.0-159000.5.3.2 mgrctl-5.2.5-159000.2.3.2 golang-github-prometheus-node_exporter-1.9.1-159000.4.2.1 o SUSE Multi-Linux Manager Beta Client Tools for SLE Micro 5 (noarch) dracut-saltboot-1.1.0-159000.2.2.1 mgrctl-lang-5.2.5-159000.2.3.2 mgrctl-bash-completion-5.2.5-159000.2.3.2 mgrctl-zsh-completion-5.2.5-159000.2.3.2 dracut-wireless-0.1.1595937550.0285244-159000.2.2.1 References: o https://www.suse.com/security/cve/CVE-2025-3415.html o https://www.suse.com/security/cve/CVE-2025-61140.html o https://www.suse.com/security/cve/CVE-2025-62348.html o https://www.suse.com/security/cve/CVE-2025-62349.html o https://www.suse.com/security/cve/CVE-2025-67724.html o https://www.suse.com/security/cve/CVE-2025-67725.html o https://www.suse.com/security/cve/CVE-2025-67726.html o https://www.suse.com/security/cve/CVE-2026-1615.html o https://www.suse.com/security/cve/CVE-2026-21722.html o https://www.suse.com/security/cve/CVE-2026-25547.html o https://www.suse.com/security/cve/CVE-2026-27606.html o https://bugzilla.suse.com/show_bug.cgi?id=1254256 o https://bugzilla.suse.com/show_bug.cgi?id=1254257 o https://bugzilla.suse.com/show_bug.cgi?id=1254903 o https://bugzilla.suse.com/show_bug.cgi?id=1254904 o https://bugzilla.suse.com/show_bug.cgi?id=1254905 o https://bugzilla.suse.com/show_bug.cgi?id=1257442 o https://bugzilla.suse.com/show_bug.cgi?id=1257447 o https://bugzilla.suse.com/show_bug.cgi?id=1257841 o https://bugzilla.suse.com/show_bug.cgi?id=1257897 o https://bugzilla.suse.com/show_bug.cgi?id=1258015 o https://bugzilla.suse.com/show_bug.cgi?id=1258136 o https://bugzilla.suse.com/show_bug.cgi?id=1258893 o https://bugzilla.suse.com/show_bug.cgi?id=1258957 o https://jira.suse.com/browse/MSQA-1044 o https://jira.suse.com/browse/PED-15474 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
| Vendor | Product | Versions |
|---|---|---|
| SUSE | Multi-Linux Manager Client Tools |