{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"critical"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-32445","title":"Title"},{"category":"description","text":"Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-32445","url":"https://www.suse.com/security/cve/CVE-2025-32445"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:15017-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XCF7AZBKQYAQXK32J6F54H6NREFBK2V7/"}],"title":"SUSE CVE CVE-2025-32445","tracking":{"current_release_date":"2026-02-06T00:49:02Z","generator":{"date":"2025-04-24T03:24:19Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-32445","initial_release_date":"2025-04-24T03:24:19Z","revision_history":[{"date":"2025-04-24T03:24:19Z","number":"2","summary":"Current version"},{"date":"2025-04-25T02:14:21Z","number":"3","summary":"Current version"},{"date":"2025-11-03T00:30:57Z","number":"4","summary":"Current version"},{"date":"2026-02-06T00:49:02Z","number":"5","summary":"unknown changes"}],"status":"interim","version":"5"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250422T181640-1.1","product":{"name":"govulncheck-vulndb-0.0.20250422T181640-1.1","product_id":"govulncheck-vulndb-0.0.20250422T181640-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250422T181640-1.1?upstream=govulncheck-vulndb-0.0.20250422T181640-1.1.src.rpm"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_id":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250814T182633-160000.1.2?upstream=govulncheck-vulndb-0.0.20250814T182633-160000.1.2.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2"},"product_reference":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250422T181640-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250422T181640-1.1"},"product_reference":"govulncheck-vulndb-0.0.20250422T181640-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2025-32445","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-32445"}],"notes":[{"category":"general","text":"Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250422T181640-1.1"]},"references":[{"category":"external","summary":"CVE-2025-32445","url":"https://www.suse.com/security/cve/CVE-2025-32445"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:15017-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XCF7AZBKQYAQXK32J6F54H6NREFBK2V7/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250422T181640-1.1"]}],"threats":[{"category":"impact","date":"2025-04-15T14:00:34Z","details":"critical"}],"title":"CVE-2025-32445"}]}