Detections
Analytics

SUSE SLES15 / openSUSE 15 Security Update : golang-github-prometheus-alertmanager (SUSE-SU-2025:4481-1)

high Nessus Plugin ID 279374

Language:

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:4481-1 advisory.

 - Update to version 0.28.1 (jsc#PED-13285):
 * Improved performance of inhibition rules when using Equal labels.
 * Improve the documentation on escaping in UTF-8 matchers.
 * Update alertmanager_config_hash metric help to document the hash is not cryptographically strong.
 * Fix panic in amtool when using --verbose.
 * Fix templating of channel field for Rocket.Chat.
 * Fix rocketchat_configs written as rocket_configs in docs.
 * Fix usage for --enable-feature flag.
 * Trim whitespace from OpsGenie API Key.
 * Fix Jira project template not rendered when searching for existing issues.
 * Fix subtle bug in JSON/YAML encoding of inhibition rules that would cause Equal labels to be omitted.
 * Fix header for slack_configs in docs.
 * Fix weight and wrap of Microsoft Teams notifications.
 - Upgrade to version 0.28.0:
 * CVE-2025-47908: Bump github.com/rs/cors (bsc#1247748).
 * Templating errors in the SNS integration now return an error.
 * Adopt log/slog, drop go-kit/log.
 * Add a new Microsoft Teams integration based on Flows.
 * Add a new Rocket.Chat integration.
 * Add a new Jira integration.
 * Add support for GOMEMLIMIT, enable it via the feature flag
 --enable-feature=auto-gomemlimit.
 * Add support for GOMAXPROCS, enable it via the feature flag
 --enable-feature=auto-gomaxprocs.
 * Add support for limits of silences including the maximum number of active and pending silences, and the maximum size per silence (in bytes). You can use the flags
 --silences.max-silences and --silences.max-silence-size-bytes to set them accordingly.
 * Muted alerts now show whether they are suppressed or not in both the /api/v2/alerts endpoint and the Alertmanager UI.
 - Upgrade to version 0.27.0:
 * API: Removal of all api/v1/ endpoints. These endpoints now log and return a deprecation message and respond with a status code of 410.
 * UTF-8 Support: Introduction of support for any UTF-8 character as part of label names and matchers.
 * Discord Integration: Enforce max length in message.
 * Metrics: Introduced the experimental feature flag
 --enable-feature=receiver-name-in-metrics to include the receiver name.
 * Metrics: Introduced a new gauge named alertmanager_inhibition_rules that counts the number of configured inhibition rules.
 * Metrics: Introduced a new counter named alertmanager_alerts_supressed_total that tracks muted alerts, it contains a reason label to indicate the source of the mute.
 * Discord Integration: Introduced support for webhook_url_file.
 * Microsoft Teams Integration: Introduced support for webhook_url_file.
 * Microsoft Teams Integration: Add support for summary.
 * Metrics: Notification metrics now support two new values for the label reason, contextCanceled and contextDeadlineExceeded.
 * Email Integration: Contents of auth_password_file are now trimmed of prefixed and suffixed whitespace.
 * amtool: Fixes the error scheme required for webhook url when using amtool with --alertmanager.url.
 * Mixin: Fix AlertmanagerFailedToSendAlerts, AlertmanagerClusterFailedToSendAlerts, and AlertmanagerClusterFailedToSendAlerts to make sure they ignore the reason label.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected golang-github-prometheus-alertmanager package.

See Also

https://bugzilla.suse.com/1247748

http://www.nessus.org/u?2929cd85

https://www.suse.com/security/cve/CVE-2025-47908

Plugin Details

Severity: High

ID: 279374

File Name: suse_SU-2025-4481-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/19/2025

Updated: 12/19/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-47908

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:golang-github-prometheus-alertmanager

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/18/2025

Vulnerability Publication Date: 7/5/2024

Reference Information

CVE: CVE-2025-47908

SuSE: SUSE-SU-2025:4481-1