Harvest may expose OS default ssh login password via SUSE...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.

AI Analysis

Exposure of OS default ssh login password via interactive installer

Basic Information

ID CVE-2025-62877

Source suse

Published Jan 8, 2026 at 12:29

Affected Product

Vendor SUSE

Product harvester

Version 1.6.0

Affected Versions SUSE harvester 1.6.0
SUSE harvester 1.5.0

CWE Classification

CWE-1188

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor SUSE

Product Harvester

Version 1.5.x, 1.6.x

References

{
    "lastseen": "",
    "description": "Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.",
    "published": "2026-01-08T12:29:07.079Z",
    "modified": "2026-01-08T12:29:07.079Z",
    "type": "cve",
    "title": "Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer",
    "source": "suse",
    "references": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877\nhttps://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv",
    "id": "CVE-2025-62877",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1188"
    ],
    "cvelist": null,
    "sourceData": "SUSE harvester 1.6.0\nSUSE harvester 1.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "harvester",
    "version": "1.6.0",
    "vendor": "SUSE",
    "ai_description": "Exposure of OS default ssh login password via interactive installer",
    "ai_severity": "Critical",
    "ai_vendor": "SUSE",
    "ai_product": "Harvester",
    "ai_version": "1.5.x, 1.6.x",
    "ai_score": 9.8
}

Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer_CVE-2025-62877