Detections
Analytics

SUSE SLES15 Security Update : aws-iam-authenticator (SUSE-SU-2026:2643-1)

critical Nessus Plugin ID 323251

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2643-1 advisory.

 This update for aws-iam-authenticator fixes the following issues

 - CVE-2022-1996: CORS bypass (bsc#1200528).
 - CVE-2022-2385: aws-iam-authenticator AccessKeyID validation bypass (bsc#1201395).
 - CVE-2024-39689: remove root certificates from `GLOBALTRUST` from the root store.
 - CVE-2025-47910: net/http: CrossOriginProtection bypass patterns are over-broad.
 - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265842).
 - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege escalation (bsc#1266651).

 Changes for aws-iam-authenticator:

 - Update to version 0.7.18
 * Merge pull request (#1062) from CaidenBorrego/new-release
 * Creating new release for CVE mitigation
 * Merge pull request (#1057) from CaidenBorrego/caidenb-versionbump
 * Merge remote-tracking branch 'upstream/master' into caidenb-versionbump
 * Bump x/net and x/sys to remediate CVEs (bsc#1266651, CVE-2026-39821)
 - Update to 0.7.17
 * Merge pull request #1051 from CaidenBorrego/caidenb-versionbump
 * bumping version from 0.7.16->0.7.17
 * Merge pull request #1047 from CaidenBorrego/caidenb-reservedprefix-fix
 * fix: honor reservedPrefixConfig for ConfigMap and CRD backends
 * Merge pull request #1046 from CaidenBorrego/caidenb-gorunner-bump
 * fix: reject malformed mapping ARN in userIDStrict mode for dynamic files
 - Update to 0.7.16
 * Merge pull request #1041 from ronaldngounou/rngounou/bump-go-1.26.3
 * Pin GitHub Actions to full-length commit SHAs
 * fix: bump go version to 1.26.3 for CVEs
 - from version 0.7.15
 * Merge pull request #1035 from Ganiredi/bump-version-0.7.15
 * Bump version to 0.7.15
 * Merge pull request #1030 from Ganiredi/1.36-k8s-deps
 * 1.36.0 dependency update
 - from version 0.7.14
 * Merge pull request #1029 from CaidenBorrego/caidenb-gorunner-bump
 * Bump version to 0.7.14
 * Bumping gorunner image tag in Dockerfile for CVE mitigation
 - from version 0.7.13
 * Merge pull request #1020 from dheeraj-coding/master
 * feat: add manual dispatch function for create-release.yml
 * Merge pull request #1019 from dheeraj-coding/master
 * fix: create-release workflow failures
 * Merge pull request #1017 from Ganiredi/1.36-k8s-deps
 * Merge pull request #1018 from dheeraj-coding/master
 * fix: build failure due to stale gcb image by updating to latest
 * Release 0.7.13
 * Merge pull request #1016 from Ganiredi/1.36-k8s-deps
 * Merge branch 'master' into 1.36-k8s-deps
 * Merge pull request #1013 from kubernetes-sigs/dependabot/go_modules/misc-dependencies-be00ae3611
 * 1.36.rc release
 * Merge pull request #1015 from dheeraj-coding/master
 * fix: bump go version 1.26.2 for CVEs
 * chore(deps): Bump the misc-dependencies group across 3 directories with 6 updates (bsc#1265842, CVE-2026-33814)
 * Merge pull request #1011 from kubernetes-sigs/dependabot/go_modules/observability- dependencies-9e34dd3c34
 * Merge pull request #1009 from kubernetes-sigs/dependabot/go_modules/misc-dependencies-b5e1eeb2d5
 * Merge pull request #1004 from bryantbiggs/chore/fix-goreleaser-deprecations
 * Merge pull request #1010 from kubernetes-sigs/dependabot/go_modules/aws-dependencies-7118f1d525
 * chore(deps): Bump the observability-dependencies group across 2 directories with 2 updates
 * chore(deps): Bump the aws-dependencies group across 2 directories with 6 updates
 * chore(deps): Bump the misc-dependencies group across 3 directories with 2 updates
 * Merge pull request #1008 from kubernetes-sigs/dependabot/go_modules/aws-dependencies-3ce7b5fcac
 * chore(deps): Bump the aws-dependencies group across 2 directories with 12 updates
 * Merge pull request #1006 from kubernetes-sigs/dependabot/go_modules/k8s-dependencies-09346e948b
 * chore(deps): Bump the k8s-dependencies group across 3 directories with 8 updates
 * Merge pull request #1005 from kubernetes-sigs/dependabot/go_modules/aws-dependencies-508cd0fd8e
 * chore(deps): Bump the aws-dependencies group across 2 directories with 15 updates
 * fix: update Makefile goreleaser target for v2 compatibility
 * fix: resolve goreleaser v2 deprecations
 - Update to version 0.7.12
 * Update OWNERS in reviewers and approvers list
 * Release 0.7.12
 * ci: add verify job to catch unrun gofmt and go mod tidy
 * chore(lint): harden linter config and fix coverage gaps
 * fix(lint): add revive and unparam linters with full compliance
 * ci: add unit test job, expand golangci config, add make update/verify
 * docs(e2e): fix Go version, remove non-existent make target, fix typo
 * docs(release): remove stale ECR image update instructions and fix asset version placeholders
 * fix: address code review findings in repo cleanup branch
 * docs: rewrite development.md as a practical local dev guide
 * chore: repo cleanup, developer experience improvements
 * chore: reduce binary size by 59% (80 MB -> 33 MB)
 * fix(lint): replace deprecated NewSimpleClientset and fix embedded field selector
 * fix(tests): address code review findings in integration test framework
 * fix(tests): address post-refactor issues and add go workspace
 * refactor(tests): remove k8s.io/kubernetes dependency from test modules
 * chore: update all dependencies to latest versions
 - Set GOWORK=off to make building with vendored dependencies work
 - Update to version 0.7.11
 * Merge pull request #988 from dstdfx/bump-version
 * Bump version to 0.7.11
 * Merge pull request #985 from dstdfx/bump-go-version-1.25.7
 * Update go.mod for e2e/int tests
 * Update go.mod
 * Merge pull request #986 from ShiriNmi1520/master
 * Clarify README 'Run the server' deployment instructions
 * Bump go to 1.25.7
 * Merge pull request #983 from eks-distro-pr-bot/eks-distro-pr-bot/go-version-bumps
 * Creating PR to update Go version to 1.25.6
 - Update to version 0.7.10:
 * 1.35.0 dependency update
 * Creating PR to update Go version to 1.25.5
 * chore(deps): Bump the observability-dependencies group across 2 directories with 1 update
 * chore(deps): Bump the misc-dependencies group across 3 directories with 13 updates
 * chore(deps): Bump the observability-dependencies group across 1 directory with 2 updates
 * chore(deps): Bump the misc-dependencies group across 3 directories with 27 updates
 * chore(deps): Bump the aws-dependencies group across 2 directories with 11 updates
 * chore(deps): Bump the misc-dependencies group across 2 directories with 17 updates
 - Update to version 0.7.9
 * Creating PR to update Go version to 1.25.4
 * chore(deps): Bump the aws-dependencies group across 2 directories with 13 updates
 * chore(deps): Bump golangci/golangci-lint-action in the actions group
 * chore(deps): Bump the observability-dependencies group across 3 directories with 2 updates
 * chore(deps): Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client
 * chore(deps): Bump the aws-dependencies group across 2 directories with 14 updates
 * bump golang version to 1.25.3
 * Creating PR to update Go version to 1.25.3
 * chore(deps): Bump github.com/onsi/ginkgo/v2
 * chore(deps): Bump the observability-dependencies group across 3 directories with 1 update
 * chore(deps): Bump the misc-dependencies group across 3 directories with 11 updates
 * chore(deps): Bump the misc-dependencies group across 3 directories with 5 updates
 * chore(deps): Bump the aws-dependencies group across 2 directories with 3 updates
 - Update to version 0.7.8
 * chore: Bump indirect Kubernetes dependencies to latest
 * chore: Bump Kubernetes dependencies to latest
 * Bump the misc-dependencies group across 3 directories with 18 updates
 * Bump the aws-dependencies group across 2 directories with 11 updates
 * Fix CVE-2025-47910
 * Bump go.opentelemetry.io/auto/sdk
 * Bump the aws-dependencies group across 2 directories with 1 update
 * Bump the misc-dependencies group across 3 directories with 10 updates
 - from version 0.7.7
 * add support for aws-eusc partition
 * chore: Commit changes from `make codegen`
 * fix: Use `.go-version` for the go version
 * feat: Add `golanglint-ci` pull request review; resolve all findings
 * Add haoranleo as approver
 * Bump the observability-dependencies group across 3 directories with 3 updates
 * Bump actions/setup-go from 5 to 6 in the actions group
 * Bump the misc-dependencies group across 3 directories with 8 updates
 * Bump github.com/coreos/go-oidc
 * Bump the observability-dependencies group across 3 directories with 12 updates
 - from version 0.7.6
 * feat: Update go version to `1.25`; update dependencies to latest to patch reported vulnerabilities
 * Force TCP URLs for etcd compatibility
 * Update go dependencies with 1.34.0
 * Bump the k8s-dependencies group across 3 directories with 8 updates
 * Bump the k8s-dependencies group across 3 directories with 1 update
 * Bump actions/checkout from 4 to 5 in the actions group
 * Bump the aws-dependencies group across 2 directories with 13 updates
 - from version 0.7.5
 * migrate hostname verification to sdk go v2
 - from version 0.7.4
 * chore: Move observability dependencies to separate dependabot update group
 * Bump the aws-dependencies group across 2 directories with 12 updates
 - from version 0.7.3
 * update Approvers/reviewers
 * update go version to 1.24.4
 * added logs for global region fallback
 * added global region fallback to imds
 * Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client
 * bumps kops and k8s versions, replaced node label 'master' with 'control-plane'
 * added imds logic back in, with EC2_METADATA enabled by default
 * removed headersourceacct from ststest, return err if no region cfg
 * added context chaining, cleanup
 * add context chaining, client config fixes
 * Move non problematic cache logs into debug
 * Rename log-level to log-verbosity, remove AutomaticEnv
 * lint fixes
 * get region from imds if not in config
 * added go.sum entries for tests/integration, fixed imds nil pointer dereference
 * Revert 'Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client'
 * added some context chaining, fixed region config in GetWithOptions
 * updated arn, deleted v1-v2 creds converter
 * updated pkg/token to v2
 * updated pkg/filecache
 * updated arn in pkg/server to use v2
 * updated pkg/server to use v2
 * upgraded ec2provider
 * Bump the misc-dependencies group across 3 directories with 5 updates
 * Bump the misc-dependencies group across 3 directories with 6 updates
 * Bump the misc-dependencies group across 3 directories with 9 updates
 * Use logrus for filecache logs
 * Add quiet mode (cache only)
 - from version 0.7.2
 * Bump the misc-dependencies group across 3 directories with 43 updates
 * Bump the k8s-dependencies group across 3 directories with 2 updates
 - from version 0.7.1
 * Revert 'Add 2 more tag validation checks'
 * Update the gorunner to v0.18.0-eks-1-32-latest
 * update the go version to 1.24.2
 * adding yue9944882 to owner
 * adds http2 support
 * Bump the aws-dependencies group across 2 directories with 3 updates
 * Update configmap.go
 * release authenticator from mainline with 0.7.0
 * Bump goreleaser/goreleaser-action from 5 to 6 in the actions group
 * Bump the misc-dependencies group across 3 directories with 41 updates
 * Remove no-op err assignment
 * Fix credential expirability check
 * chore: Update golan x package transitive dependencies
 * fix: Correct codgen script due to deprecated script removal
 * Update configmap test per 1.32.0 change in client-go
 * Update upstream dependencies to v1.32.0
 * chore: Update to go `1.23.4`
 * deps: Update `golang.org/x/crypto` library to remediate high CVE
 * chore: Add dependabot configuration to automatically check for package updates weekly
 * handle scenario when the file is created but doesn't have content
 * update code and add tests
 * remove nnmin-aws from approver list
 * add kmala to the owners list
 * update metrics dimention to stsregion
 * add default timeout for http client
 * log sts host instead of global/regional
 * update log
 * remove typo and log line
 * remove typo
 * Bump test go versions
 * add logs and metrics dimentions to find sts call success/failures on global/regional endpoints
 * Bump go minor version
 * Update aws-iam-authenticator installation command
 * use protobuf content type instead of json for k8s client
 * Update RELEASE.md
 * Bump go-restful in e2e and integration tests
 * Bump go-restful
 * Remove outdated changelog artifacts
 * Bump deploy/example.yaml version
 * Update filecache to use AWS SDK Go V2 with wrappers
 * Refactored token filecache
 * Fix x-amz-expires header value
 * Remove parameterized AWS session from token.go
 * Parse source account from sourceARN
 * Add sourceArn to sts through headers
 * Add configurable Now time for signature generation
 * cleanup to use composite literals
 * update to sig.k8s.io namespace
 * retain original field
 * update the image to latest to fix CVE-2024-39689
 * add a namespaced field
 * Update upstream dependencies to v1.31.0
 * update the go version to 1.22.5
 * Add unit test
 * skip service validation to get the default regions endpoint
 * fix: Run `go mod tidy` to fix `go.sum` files
 * fix: Update goreleaser workflow to fix warnings and artifact generation
 * update aws go sdk to 1.54.6
 * chore: Remove emeritus reviewers from `SECURITY_CONTACTS`
 * fix: Add random string to e2e test role to avoid pipeline run conflicts
 * fix: Run `go mod tidy` from `tests/integration` directory
 * chore: Update CLI dependencies `cobra` and `viper`
 * updating google.golang.org/grpc/otelgrpc to v0.47.0
 * chore: Update CI action versions, remove `push` trigger
 * chore: Align go versions and remove unused files
 * updating k8s client libraries and go version
 * adding new approvers - nnmin-aws
 * Bump go version to 1.21.8
 * Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0
 * chore: Re-update to latest patch version of K8s packages
 * fix time formatting
 * refactor structs for dynamic file load
 * add support for adoption rate metrics for cam
 * add support for e2e latency for dynamic mode
 * Switch to GOTOOLCHAIN env setting from gimme
 * Switch back to use go-version from go-image-tag
 * Switch to use go-image-tag from go-version
 * Repo controlled build go version
 * chore: Re-update and align
 * fix semantic error
 * feat: Re-update K8s packages to latest release
 * fix: Use `SIGDescribe`
 * fix: Use `framework.WithDisruptive()`
 * fix: [Disruptive] in plain text is deprecated and must be added through WithDisruptive instead
 * chore: Update dependencies for `e2e` tests
 * fix: Add context to `StartTestServer`
 * fix: Align integration test `replace` versions in `go.mod`
 * fix: Fix codegen and update `replace` test integration dependencies
 * fix: Integration test dependencies run `go mod tidy`
 * fix: Downgrade `k8s.io/sample-controller` which requires updating context handling
 * chore: Update app K8s dependencies
 * adding nnmin-aws into reviewers
 * Replace deprecated `ioutil` package
 * fix base image to use latest
 * minor fix the IAM user arn verification
 * Fix role ARN comparison for user ID strict check (#669)
 * Check ARN for user ID strict check (#660)
 * Update go to 1.21.5
 * Change s3 bucket for e2e tests, current default exists somewhere (#652)
 - Bump minimum Go version to 1.25 in BuildRequires
 - Update to version 0.6.31
 - from version 0.6.30
 * Small fixes missed during cherrypicking
 * Cherry-picked file changes from commit https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/554/commits
 * Simplify featuregate flag parsing for SSORoleMatch
 * Support un-canonicalized ARNs in filemapper
 * Add SSO Role suffix support (#416)
 * Chore: Update golang x package transitive dependencies
 - Add -buildmode=pie to go build command line (bsc#1239947)
 - Update to version 0.6.29
 - from version 0.6.28
 * Update owners list to sync master branch
 * Lpdate log
 * Add logs and metrics dimentions to find sts call success/failures on global/regional endpoints
 * Return 429 for STS throttling
 - Update to 0.6.27
 - from version 0.6.26
 - from version 0.6.25
 - from version 0.6.24
 * Update the image to latest to fix CVE-2024-3968
 - from version 0.6.23
 - Update to version 0.6.22
 - Update to version 0.6.21
 - from version 0.6.20
 * Merge pull request #713 from jaidevmane/updating-otelgrpc-to-v0.51.0
 * Merge pull request #709 from bryantbiggs/chore/update-ci-versions
 * Merge pull request #708 from jaidevmane/updating-deps
 * Merge pull request #707 from jaidevmane/adding-new-approvers
 * Merge pull request #687 from bryantbiggs/chore/update-app-k8s-dependencies
 - from version 0.6.19
 * Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0
 - from version 0.6.18
 - from version 0.6.17
 * Fix base image to use latest and release v0.6.17
 - from version 0.6.16
 - from version 0.6.15
 * Fix role ARN comparison for user ID strict check (#669) (#671)
 - Bump minimum Go version to 1.22 in BuildRequires
 - Update to version 0.6.14
 * Check ARN for user ID strict check (#660) (#664)
 * Update go to 1.21.5 (#663)
 * Update go to 1.21.4 (#648) (#659)
 - Update to version 0.6.13
 * Cherry-pick: Fix federated user ID parsing #644 (#654)
 * Fix issue 606: use latest version of aws-sdk-go (#650)
 * Change s3 bucket for e2e tests, current default exists somewhere (#653)
 - from version 0.6.12
 * Avoid parsing single quote empty inputs
 * Avoid parsing known empty inputs
 - Update to version 0.6.11
 * Optimize only rebuild mapper when the actual backend modes change
 * Add int test for dynamic backend mode
 * Add DynamicBackendMode
 * Allow running create release from Github UI
 - Update to version 0.6.10
 * Update go.sum
 * Only replace x/net
 * Add build-all-images make target
 * Enable cross-compilation in Dockerfile
 - from version 0.6.9
 * Add DynamicFileError Metric
 - from version 0.6.8
 * Add comments explicitly on what we need to do later
 * Shutdown gracefully and avoid the extra thread leak checks that EtcdMain barfs on
 * Switch to newer ginkgo v2
 * Bump dependencies and go version (in go.mod) (bsc#1200528, CVE-2022-1996)
 - from version 0.6.7
 * (no changes)
 - from version 0.6.6
 * Add Username Prefix Enforce for DynamicFile mode
 - from version 0.6.5
 * Update the aws sdk go version to latest
 * Update base image in Docker file
 - from version 0.6.4
 * Loop up RoleMapping with UserId in dynamocfile mode
 * Install kind if it doesn't exist to _output
 * Update server_test for expose principal ID in audit log
 * Expose Principal Id to audit log
 * Migrate away from google.com gcp project k8s-testimages
 * Build s390x/ppc64le binaries
 * Add default instance region in sts hostname
 - from version 0.6.3
 * Bump aws sdk go to v1.44.145
 * Update Dockerfile to pull from https://gallery.ecr.aws/ \ eks-distro-build-tooling/golang to avoid reaching pull rate limit from docker.io
 * Add go mod for E2E
 * Add install kind into e2e script
 * Move e2e test from start dev script + minor fix for run.sh
 * Add end to end test for mountfile mode in kind Update Makefile to support run e2e from either kind or kops.
 * Add end to end test for dynamicfile backend
 - Update to version 0.6.2
 * Add automatic release creation
 * Add tag workflow to release-0.6 branch
 * Remove dependency from PR #416
 * Revert 'Add SSO Role suffix support (#416)
 - from version 0.6.1
 * Test release tagging
 * Fix file permissions
 * Tag release on update to version.txt
 * Update Dockerfile to pull from https://gallery.ecr.aws/eks-distro-build-tooling/golang to avoid reaching pull rate limit from docker.io
 * Added Issue and PR templates (#517)
 * Update Dockerfile to use Golang as builder
 - from version 0.6.0
 * Print CommitID too on startup
 * Print version on startup
 * Add new backend mode DYNAMICFILE
 * Update go.mod and go.sum for tests/integrations
 * Replace tabs with spaces in go.mod
 * Bump aws sdk go to v1.44.107
 * Minor fix on the script to solve permission denied issue when run make start-dev
 * Working E2E tests in prow
 * Non-blocking E2E tests
 * Add e2e recipe to Makefile
 * Basic E2E testing for authenticator
 * Initialize metrics in NewVerifier() if needed
 * Added ConfiguredInitDirectories featuregate for init command
 * rm more v1alpha1 version
 * Bump 0.6 (#471)
 * Bump version in Makefile
 * Add query parameter validation for multiple parameters
 * Replace deprecated seccomp annotation with seccompProfile.
 * Replace deprecated critical pod annotation with priorityClassName.
 * Whitespace consistency fixes.
 * Use rbac.authorization.k8s.io/v1 instead of v1beta1 in example manifest.
 * Lowercase the ARN keys
 * Remove vendor directory
 * linux/amd64 only for image target
 * Don't push on image target
 - from version 0.5.16
 * Shutdown gracefully and avoid the extra thread leak checks that EtcdMain barfs on
 * Bump dependencies and go version (in go.mod)
 - from version 0.5.15
 - from version 0.5.14
 - from version 0.5.13
 - from version 0.5.12
 * Fix Makefile on branch release-0.5 (#520)
 * rm more v1alpha1 version (#516)
 - from version 0.5.11
 * Add end to end test for mountfile mode in kind Update Makefile to support run e2e from either kind or kops.
 - Update to version 0.5.10
 * Automated cherry pick of #491: Bump aws sdk go to v1.44.107 (#493)
 * Remove vendor from release-0.5 (#498)
 - Update to version 0.5.9
 * Add query parameter validation for multiple parameters (#469) (bsc#1201395, CVE-2022-2385)
 - from version 0.5.8
 * Revert use of upstream yaml parsing (#455)
 - from version 0.5.7
 * Remove duplicate InitMetrics by @jngo2 in (#448) + Fixes a crash when executing authenticator in server mode
 - from version 0.5.6
 * Bump AWS SDK to v1.43.28 (#445)
 * Use the apiversion from KUBERNETES_EXEC_INFO (#439)
 * Bump promptui module to v0.9.0 (#437)
 - from version 0.5.5
 * Use full package name for goreleaser version (#433)
 * Add sts error metric (#430)
 * Emit metric for EC2 describeInstance calls (#428)
 * Rename configmap_watch_failures to configmap_watch_failures_total (#432)
 * Simplify goreleaser Dockerfiles (#431)
 * Don't pass metrics around (#423)
 - from version 0.5.4
 * Embed go-runner into the image (#426)
 * Bump Go to 1.17 in Travis (#414)
 * Build multi-arch images (#417)
 * Add kind-based development environment (#422
 * Add jaypipes to approvers/reviewers (#407
 * Fix deps (#396
 * Fix panic when cache file can't be Stat-ed (#410
 * Fix missing status definition in v1 CRD (#411)
 * Use ./hack/install-etcd.sh (#405
 * Run integration tests with per-test role (#402
 * Add a counter for API server watch failures (#400)
 * Upgrade CRD manifest to v1 (#397
 * Move inactives to emeritus_approvers and add active users (#399)
 * Fix tests add vendor (#398)
 * Integration test framework (#395)
 * Add cloudbuild & improvements (#394)
 * Fix typo (#390)
 * Add user/role subcommands (#381)
 * goreleaser: bump release to 0.164.0 and fix config deprecations (#371)
 * Run go mod vendor (#388)
 * doc: fix typo in RELEASE.md (#376)
 * [pkg/token]: Update credential API version (#386)
 * Enrich Audit Logs with additional AWS Identity details (via audit logs' 'extra' map) (#372)
 - Enable vendoring for Go module dependencies

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected aws-iam-authenticator package.

See Also

https://bugzilla.suse.com/1200528

https://bugzilla.suse.com/1201395

https://bugzilla.suse.com/1227519

https://bugzilla.suse.com/1239947

https://bugzilla.suse.com/1249141

https://bugzilla.suse.com/1265842

https://bugzilla.suse.com/1266651

https://lists.suse.com/pipermail/sle-updates/2026-June/047646.html

https://www.suse.com/security/cve/CVE-2022-1996

https://www.suse.com/security/cve/CVE-2022-2385

https://www.suse.com/security/cve/CVE-2024-39689

https://www.suse.com/security/cve/CVE-2025-47910

https://www.suse.com/security/cve/CVE-2026-33814

https://www.suse.com/security/cve/CVE-2026-39821

Plugin Details

Severity: Critical

ID: 323251

File Name: suse_SU-2026-2643-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/27/2026

Updated: 6/27/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-1996

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:aws-iam-authenticator

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 6/6/2022

Reference Information

CVE: CVE-2022-1996, CVE-2022-2385, CVE-2024-39689, CVE-2025-47910, CVE-2026-33814, CVE-2026-39821

SuSE: SUSE-SU-2026:2643-1