Detections
Analytics

SUSE SLES15 / openSUSE 15 Security Update : helm (SUSE-SU-2025:02121-1)

medium Nessus Plugin ID 240738

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:02121-1 advisory.

 Update to version 3.18.3:

 * build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 6838ebc (dependabot[bot])
 * fix: user username password for login 5b9e2f6 (Terry Howe)
 * Update pkg/registry/transport.go 2782412 (Terry Howe)
 * Update pkg/registry/transport.go e66cf6a (Terry Howe)
 * fix: add debug logging to oci transport 191f05c (Terry Howe)

 Update to version 3.18.2:

 * fix: legacy docker support broken for login 04cad46 (Terry Howe)
 * Handle an empty registry config file. bc9f8a2 (Matt Farina)

 Update to version 3.18.1:

 * Notes:

 - This release fixes regressions around template generation and OCI registry interaction in 3.18.0
 - There are at least 2 known regressions unaddressed in this release. They are being worked on.
 - Empty registry configuration files. When the file exists but it is empty.
 - Login to Docker Hub on some domains fails.

 * Changelog

 - fix(client): skipnode utilization for PreCopy
 - fix(client): layers now returns manifest - remove duplicate from descriptors
 - fix(client): return nil on non-allowed media types
 - Prevent fetching newReference again as we have in calling method
 - Prevent failure when resolving version tags in oras memory store
 - Update pkg/plugin/plugin.go
 - Update pkg/plugin/plugin.go
 - Wait for Helm v4 before raising when platformCommand and Command are set
 - Fix 3.18.0 regression: registry login with scheme
 - Revert 'fix (helm) : toToml` renders int as float [ backport to v3 ]'

 Update to version 3.18.0 (bsc#1241802, CVE-2025-22872):

 * Notable Changes

 - Add support for JSON Schema 2020
 - Enabled cpu and memory profiling
 - Add hook annotation to output hook logs to client on error

 * Changelog

 - build(deps): bump the k8s-io group with 7 updates
 - fix: govulncheck workflow
 - bump version to v3.18.0
 - fix:add proxy support when mTLS configured
 - docs: Note about http fallback for OCI registries
 - Bump net package to avoid CVE on dev-v3
 - Bump toml
 - backport #30677to dev3
 - build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to 1.8.0
 - Add install test for TakeOwnership flag
 - Fix --take-ownership
 - build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to 1.7.2
 - build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0
 - build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0
 - Testing text bump
 - Permit more Go version and not only 1.23.8
 - Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3 to 3.0.0
 - Unarchiving fix
 - Fix typo
 - Report as debug log, the time spent waiting for resources
 - build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27
 - Update pkg/registry/fallback.go
 - automatic fallback to http
 - chore(oci): upgrade to ORAS v2
 - Updating to 0.37.0 for x/net
 - build(deps): bump the k8s-io group with 7 updates
 - build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0
 - build(deps): bump github.com/opencontainers/image-spec
 - build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26
 - build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0
 - Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3
 - Add HookOutputFunc and generic yaml unmarshaller
 - clarify fix error message
 - fix err check
 - add short circuit return
 - Add hook annotations to output pod logs to client on success and fail
 - chore: use []error instead of []string
 - Update cmd/helm/profiling.go
 - chore: update profiling doc in CONTRIBUTING.md
 - Update CONTRIBUTING guide
 - Prefer environment variables to CLI flags
 - Move pprof paths to HELM_PPROF env variable
 - feat: Add flags to enable CPU and memory profiling
 - build(deps): bump github.com/distribution/distribution/v3
 - build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
 - Moving to SetOut and SetErr for Cobra
 - build(deps): bump the k8s-io group with 7 updates
 - build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0
 - build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0
 - build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0
 - build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
 - build(deps): bump github.com/cyphar/filepath-securejoin
 - build(deps): bump github.com/evanphx/json-patch
 - build(deps): bump the k8s-io group with 7 updates
 - fix: check group for resource info match
 - Bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0
 - add test for nullifying nested global value
 - Ensuring the file paths are clean prior to passing to securejoin
 - Bump github.com/containerd/containerd from 1.7.24 to 1.7.25
 - Bump golang.org/x/crypto from 0.31.0 to 0.32.0
 - Bump golang.org/x/term from 0.27.0 to 0.28.0
 - bump version to v3.17.0
 - Bump github.com/moby/term from 0.5.0 to 0.5.2
 - Add test case for removing an entire object
 - Tests for bugfix: Override subcharts with null values #12879
 - feat: Added multi-platform plugin hook support to v3
 - This commit fixes the issue where the yaml.Unmarshaller converts all int values into float64, this passes in option to decoder, which enables conversion of int into .
 - merge null child chart objects

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected helm, helm-bash-completion, helm-fish-completion and / or helm-zsh-completion packages.

See Also

https://bugzilla.suse.com/1241802

https://lists.suse.com/pipermail/sle-updates/2025-June/040492.html

https://www.suse.com/security/cve/CVE-2025-22872

Plugin Details

Severity: Medium

ID: 240738

File Name: suse_SU-2025-02121-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 6/27/2025

Updated: 6/27/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-22872

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:helm, p-cpe:/a:novell:suse_linux:helm-bash-completion, p-cpe:/a:novell:suse_linux:helm-zsh-completion, p-cpe:/a:novell:suse_linux:helm-fish-completion

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2025

Vulnerability Publication Date: 3/27/2025

Reference Information

CVE: CVE-2025-22872

SuSE: SUSE-SU-2025:02121-1