The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20177-1 advisory.

    Update to version 3.5.0:

    Security issues fixed:

    - CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods     from global (bsc#1257329).
    - CVE-2025-12816: interpretation conflict vulnerability allowing bypassing cryptographic verifications     (bsc#1255588).

    Other updates and bugfixes:

    - Update to 3.5.0 (jsc#PED-13824):

      * [FEATURE] Remote-write: Add support for Azure Workload Identity         as an authentication method for the receiver.
      * [FEATURE] PromQL: Add first_over_time(...) and         ts_of_first_over_time(...) behind feature flag.
      * [FEATURE] Federation: Add support for native histograms with         custom buckets (NHCB).
      * [ENHANCEMENT] PromQL: Add warn-level annotations for counter         reset conflicts in certain histogram operations.
      * [ENHANCEMENT] UI: Add scrape interval and scrape timeout to         targets page.

    - Update to 3.4.0:

      * Add unified AWS service discovery for ec2, lightsail and ecs services.
      * [FEATURE] Native histograms are now a stable, but optional         feature.
      * [FEATURE] UI: Show detailed relabeling steps for each         discovered target.
      * [ENHANCEMENT] Alerting: Add unknown state for alerting rules         that haven't been evaluated yet.
      * [BUGFIX] Scrape: Fix a bug where scrape cache would not be         cleared on startup.

    - Update to 3.3.0:

      * [FEATURE] Spring Boot 3.3 includes support for the Prometheus         Client 1.x.
      * [ENHANCEMENT] Dependency management for Dropwizard Metrics has         been removed.

    - Update to 3.2.0:

      * [FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1).
      * [ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add         and Sub.
      * [BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN         threshold are now rejected.

    - Update to 3.1.0:

      * [FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec.
        created timestamp (CT) is now called start timestamp (ST).
      * [BUGFIX] Mixin: Add static UID to the remote-write dashboard.

    - Update to 3.0.1:

      * [BUGFIX] Promql: Make subqueries left open.
      * [BUGFIX] Fix memory leak when query log is enabled.
      * [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint.

    - Update to 3.0.0:

      * [CHANGE] Deprecated feature flags removed.
      * [FEATURE] New UI.
      * [FEATURE] Remote Write 2.0.
      * [FEATURE] OpenTelemetry Support.
      * [FEATURE] UTF-8 support is now stable and enabled by default.
      * [FEATURE] OTLP Ingestion.
      * [FEATURE] Native Histograms.
      * [BUGFIX] PromQL: Fix count_values for histograms.
      * [BUGFIX] TSDB: Fix race on stale values in headAppender.
      * [BUGFIX] UI: Fix selector / series formatting for empty metric         names.

    - Update to 2.55.0:

      * [FEATURE] PromQL: Add `last_over_time` function.
      * [FEATURE] Agent: Add `prometheus_agent_build_info` metric.
      * [ENHANCEMENT] PromQL: Optimise `group()` and `group by()`.
      * [ENHANCEMENT] TSDB: Reduce memory usage when loading blocks.
      * [BUGFIX] Scrape: Fix a bug where a target could be scraped         multiple times.

    - Update to 2.54.0:

      * [CHANGE] Remote-Write: highest_timestamp_in_seconds and         queue_highest_sent_timestamp_seconds metrics now initialized to         0.
      * [CHANGE] API: Split warnings from info annotations in API         response.
      * [FEATURE] Remote-Write: Version 2.0 experimental, plus metadata         in WAL via feature flag.
      * [FEATURE] PromQL: add limitk() and limit_ratio() aggregation         operators.
      * [ENHANCEMENT] PromQL: Accept underscores in literal numbers.
      * [ENHANCEMENT] PromQL: float literal numbers and durations are         now interchangeable (experimental).
      * [ENHANCEMENT] PromQL (experimental native histograms): Optimize         histogram_count and histogram_sum functions.
      * [BUGFIX] PromQL: Fix various issues with native histograms.
      * [BUGFIX] TSDB: Fix race on stale values in headAppender.
      * [BUGFIX] OTLP receiver: Allow colons in non-standard units.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

openSUSE 16 Security Update : golang-github-prometheus-prometheus (openSUSE-SU-2026:20177-1)

high Nessus Plugin ID 298293

Version 1.2

Version 1.1

Version 1.2 Feb 18, 2026, 9:24 AM CVSS metrics ("CVSSv2 score" set to 5.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N") CVSS metrics ("CVSSv3 score" set to 5.3) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N") CVSSv2 severity (based on CVE-2025-13465, severity decreased from "High" to "Medium") CVSSv3 score source (changed from "CVE-2025-12816" to none) CVSSv3 severity (based on None, severity decreased from "High" to "Medium") Plugin Feed: 202602180924
Version 1.1 Feb 7, 2026, 9:06 AM New Plugin Feed: 202602070906