susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path...

8.7 / 10

HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.

AI Analysis

Path Traversal vulnerability in susemanager-tftpsync-recv allows arbitrary file creation and deletion

Basic Information

ID CVE-2025-53880

Source suse

Published Oct 30, 2025 at 10:31

Modified Oct 30, 2025 at 13:38

Affected Product

Vendor SUSE

Product Container suse/manager/4.3/proxy-httpd:latest

Version ?

Affected Versions SUSE Container suse/manager/4.3/proxy-httpd:latest ?
SUSE Container suse/manager/5.0/x86_64/proxy-httpd:latest ?
SUSE Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latest ?
SUSE SUSE Manager Proxy LTS 4.3 ?

CWE Classification

CWE-35

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor SUSE

Product susemanager-tftpsync-recv

Version 4.3, 5.0, 5.1

References

bugzilla.suse.com /show_bug.cgi

{
    "lastseen": "",
    "description": "A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses.",
    "published": "2025-10-30T10:31:15.866Z",
    "modified": "2025-10-30T13:38:33.880Z",
    "type": "cve",
    "title": "susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal",
    "source": "suse",
    "references": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53880",
    "id": "CVE-2025-53880",
    "bulletinFamily": "",
    "cwe": [
        "CWE-35"
    ],
    "cvelist": null,
    "sourceData": "SUSE Container suse/manager/4.3/proxy-httpd:latest ?\nSUSE Container suse/manager/5.0/x86_64/proxy-httpd:latest ?\nSUSE Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:latest ?\nSUSE SUSE Manager Proxy LTS 4.3 ?",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Container suse/manager/4.3/proxy-httpd:latest",
    "version": "?",
    "vendor": "SUSE",
    "ai_description": "Path Traversal vulnerability in susemanager-tftpsync-recv allows arbitrary file creation and deletion",
    "ai_severity": "High",
    "ai_vendor": "SUSE",
    "ai_product": "susemanager-tftpsync-recv",
    "ai_version": "4.3, 5.0, 5.1",
    "ai_score": 8.7
}

susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal_CVE-2025-53880