{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-24784","title":"Title"},{"category":"description","text":"kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it's considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called \"context aware\". Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to obtain information about resources that are out of their reach, by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster wide) only: Namespace, Pod, Deployment and Ingress. This vulnerability is fixed in 1.21.0.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-24784","url":"https://www.suse.com/security/cve/CVE-2025-24784"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for SUSE-SU-2025:0429-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-February/020315.html"}],"title":"SUSE CVE CVE-2025-24784","tracking":{"current_release_date":"2026-01-16T00:37:40Z","generator":{"date":"2025-02-06T03:48:00Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-24784","initial_release_date":"2025-02-06T03:48:00Z","revision_history":[{"date":"2025-02-06T03:48:00Z","number":"2","summary":"Current version"},{"date":"2025-02-11T03:47:35Z","number":"3","summary":"Current version"},{"date":"2025-02-12T03:47:41Z","number":"4","summary":"Current version"},{"date":"2025-02-14T03:49:05Z","number":"5","summary":"Current version"},{"date":"2025-02-15T16:55:50Z","number":"6","summary":"Current version"},{"date":"2025-03-15T03:52:56Z","number":"7","summary":"Current version"},{"date":"2025-04-24T09:48:27Z","number":"8","summary":"Current version"},{"date":"2025-06-17T02:21:58Z","number":"9","summary":"Current version"},{"date":"2025-11-03T00:34:23Z","number":"10","summary":"Current version"},{"date":"2025-12-17T00:44:35Z","number":"11","summary":"description changed"},{"date":"2025-12-19T00:42:22Z","number":"12","summary":"description changed"},{"date":"2026-01-16T00:37:40Z","number":"13","summary":"unknown changes"}],"status":"interim","version":"13"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250204T220613-1.1","product":{"name":"govulncheck-vulndb-0.0.20250204T220613-1.1","product_id":"govulncheck-vulndb-0.0.20250204T220613-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250204T220613-1.1?upstream=govulncheck-vulndb-0.0.20250204T220613-1.1.src.rpm"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_id":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250814T182633-160000.1.2?upstream=govulncheck-vulndb-0.0.20250814T182633-160000.1.2.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2"},"product_reference":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250204T220613-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250204T220613-1.1"},"product_reference":"govulncheck-vulndb-0.0.20250204T220613-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2025-24784","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-24784"}],"notes":[{"category":"general","text":"kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it's considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called \"context aware\". Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to obtain information about resources that are out of their reach, by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster wide) only: Namespace, Pod, Deployment and Ingress. This vulnerability is fixed in 1.21.0.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250204T220613-1.1"]},"references":[{"category":"external","summary":"CVE-2025-24784","url":"https://www.suse.com/security/cve/CVE-2025-24784"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for SUSE-SU-2025:0429-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-February/020315.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250204T220613-1.1"]}],"threats":[{"category":"impact","date":"2025-01-30T17:00:52Z","details":"moderate"}],"title":"CVE-2025-24784"}]}