rpm package
suse/himmelblau&distro=SUSE Linux Enterprise Module for Basesystem 15 SP7
pkg:rpm/suse/himmelblau&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34397 | Med | 6.3 | < 2.3.9+git0.a9fd29b-150700.3.15.1 | 2.3.9+git0.a9fd29b-150700.3.15.1 | Apr 1, 2026 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelb | |
| CVE-2026-31979 | — | < 2.3.9+git0.a9fd29b-150700.3.15.1 | 2.3.9+git0.a9fd29b-150700.3.15.1 | Mar 11, 2026 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_ without symlink protections. Since commit 87a51ee, PrivateTmp is explicitl | ||
| CVE-2026-25727 | — | < 2.3.9+git0.a9fd29b-150700.3.15.1 | 2.3.9+git0.a9fd29b-150700.3.15.1 | Feb 6, 2026 | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used | ||
| CVE-2025-58160 | Low | — | < 0.7.18+git.0.8485a75-150700.3.6.1 | 0.7.18+git.0.8485a75-150700.3.6.1 | Aug 29, 2025 | tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i | |
| CVE-2025-54882 | — | < 2.3.9+git0.a9fd29b-150700.3.15.1 | 2.3.9+git0.a9fd29b-150700.3.15.1 | Aug 7, 2025 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and rece | ||
| CVE-2025-53013 | Med | 5.2 | < 2.3.9+git0.a9fd29b-150700.3.15.1 | 2.3.9+git0.a9fd29b-150700.3.15.1 | Jun 26, 2025 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. A vulnerability present in versions 0.9.10 through 0.9.16 allows a user to authenticate to a Linux host via Himmelblau using an *invalid* Linux Hello PIN, provided the host is offline. While the user | |
| CVE-2025-5791 | Hig | 7.1 | < 0.7.17+git.0.1ebdab0-150700.3.3.2 | 0.7.17+git.0.1ebdab0-150700.3.3.2 | Jun 6, 2025 | A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list. | |
| CVE-2025-3416 | Low | 3.7 | < 0.7.17+git.0.1ebdab0-150700.3.3.2 | 0.7.17+git.0.1ebdab0-150700.3.3.2 | Apr 8, 2025 | A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string. | |
| CVE-2024-11738 | — | < 2.3.9+git0.a9fd29b-150700.3.15.1 | 2.3.9+git0.a9fd29b-150700.3.15.1 | Dec 6, 2024 | A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message. |
- affected < 2.3.9+git0.a9fd29b-150700.3.15.1fixed 2.3.9+git0.a9fd29b-150700.3.15.1
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelb
- CVE-2026-31979Mar 11, 2026affected < 2.3.9+git0.a9fd29b-150700.3.15.1fixed 2.3.9+git0.a9fd29b-150700.3.15.1
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_ without symlink protections. Since commit 87a51ee, PrivateTmp is explicitl
- CVE-2026-25727Feb 6, 2026affected < 2.3.9+git0.a9fd29b-150700.3.15.1fixed 2.3.9+git0.a9fd29b-150700.3.15.1
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used
- affected < 0.7.18+git.0.8485a75-150700.3.6.1fixed 0.7.18+git.0.8485a75-150700.3.6.1
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i
- CVE-2025-54882Aug 7, 2025affected < 2.3.9+git0.a9fd29b-150700.3.15.1fixed 2.3.9+git0.a9fd29b-150700.3.15.1
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and rece
- affected < 2.3.9+git0.a9fd29b-150700.3.15.1fixed 2.3.9+git0.a9fd29b-150700.3.15.1
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. A vulnerability present in versions 0.9.10 through 0.9.16 allows a user to authenticate to a Linux host via Himmelblau using an *invalid* Linux Hello PIN, provided the host is offline. While the user
- affected < 0.7.17+git.0.1ebdab0-150700.3.3.2fixed 0.7.17+git.0.1ebdab0-150700.3.3.2
A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.
- affected < 0.7.17+git.0.1ebdab0-150700.3.3.2fixed 0.7.17+git.0.1ebdab0-150700.3.3.2
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
- CVE-2024-11738Dec 6, 2024affected < 2.3.9+git0.a9fd29b-150700.3.15.1fixed 2.3.9+git0.a9fd29b-150700.3.15.1
A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message.