Details: On setups using the Ceph management stack, a highly-privileged user could trigger the creation of a task log file and its parent directories outside of the intended location inside /var/log/pve/tasks.
This vulnerability does not allow overwriting an existing file. The created task log file's name always ends in :user@realm: (user and realm are placeholders for the actual user triggering the issue, and its realm). Its content is the task log which is not under control of the user.
Only users/tokens with the Sys.Modify privilege can trigger this issue. This privilege already "allow(s) modifying aspects of the system or its configuration that are dangerous or sensitive" (see references).
Subject: PSA-2025-00010-1: libtpms0/swtpm out of bounds read vulnerability
Advisory date: 2025-06-23
Packages: libtpms0
Details: libtpms, a library for integrating TPM functionality into QEMU was affected by an out of bounds read vulnerability that could be used to trigger an abort of swtpm, rendering the virtual TPM assigned to a QEMU VM inoperable.
Subject: PSA-2025-00011-1: Lack of support for OVS bridges in nftables-based firewall (tech-preview)
Advisory date: 2025-07-09
Packages: pve-firewall/qemu-server/pve-container
Details: When using the optional nftables-based firewall implementation, OVS bridges used for guest vNICs where not configured using intermediate firewall bridges. As a result, traffic flowing to/from guests on an OVS bridge was not visible in the netfilter bridge table, and not filtered according to the ruleset.
Note: The nftables feature is an opt-in technology preview. Setups using regular linux bridges are not affected.
Subject: PSA-2025-00012-1: Incomplete exclusion of the NTFS module in Grub2 with Secure Boot
Advisory date: 2025-07-10
Packages: grub-efi-amd64-signed 1+2.06+13+pmx6
Details: The NTFS fixes for the issues described in PSA-2025-00005-1 were reverted due to a regression. This was done under the assumption that the NTFS Grub module could not be loaded with Secure Boot enabled. However, this was not the case when the module was part of the monolithic GRUB EFI binary used in default setups that enable Secure Boot. To fix this, exclude the NTFS module from being part of the monolithic GRUB EFI binary.
Subject: PSA-2025-00013-1: stored XSS in config values
Advisory date: 2025-08-14
Packages: pve-manager
Details: The HTTP proxy, WebAuthN and U2F setting dialogues in the web interface were susceptible to XSS. Editing these settings requires the Sys.Modify privilege on the ACL path /, which is only given to users with the Adminstrator role by default.
