Proxmox Virtual Environment - Security Advisories

[ProxmoxSecurityAdvisory]

Subject: PSA-2025-00009-1: Ceph management: limited privileged file creation vulnerability​

Advisory date: 2025-04-17

Packages: pve-manager

Details: On setups using the Ceph management stack, a highly-privileged user could trigger the creation of a task log file and its parent directories outside of the intended location inside /var/log/pve/tasks.

This vulnerability does not allow overwriting an existing file. The created task log file's name always ends in :user@realm: (user and realm are placeholders for the actual user triggering the issue, and its realm). Its content is the task log which is not under control of the user.

Only users/tokens with the Sys.Modify privilege can trigger this issue. This privilege already "allow(s) modifying aspects of the system or its configuration that are dangerous or sensitive" (see references).

Fixed: pve-manager >= 8.3.6, libpve-common-perl >= 8.3.1

References:
- Sys.Modify privilege: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_privileges

 

[ProxmoxSecurityAdvisory]

Subject: PSA-2025-00010-1: libtpms0/swtpm out of bounds read vulnerability​

Advisory date: 2025-06-23

Packages: libtpms0

Details: libtpms, a library for integrating TPM functionality into QEMU was affected by an out of bounds read vulnerability that could be used to trigger an abort of swtpm, rendering the virtual TPM assigned to a QEMU VM inoperable.

Fixed: libtpms0 >= 0.9.7+pve1

References: CVE-2025-49133 CVE-2025-2884