chore(deps): update module github.com/harvester/harvester-installer to v1.6.0 [security] (v1.7)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/harvester/harvester-installer	v1.5.1 → v1.6.0

---

Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer

CVE-2025-62877 / GHSA-6g8q-hp2j-gvwv / GO-2026-4281

More information

Details

Impact

Projects using the SUSE Virtualization (Harvester) environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the [Harvester configuration](https://docs.harvesterhci. io/v1.7/install/harvester-configuration) setup.

A critical vulnerability has been identified within the SUSE Virtualization interactive installer. This vulnerability allows an attacker to gain unauthorized network access to the host via a remote shell (SSH).

The SUSE Virtualization operating system includes a default administrative login credential intended solely for out-of-band cluster management tasks (for example, perform troubleshooting, device management and system recovery over serial ports). When the interactive installer is used to create or expand a cluster, the installer enables the host's networking functions before the default password is reset. This presents a window of opportunity for an attacker to exploit the default password to gain unauthorized access to the host via SSH.

Please consult the associated MITRE ATT&CK - Technique - Default Credentials for further information about this category of attack.

Patches

This vulnerability is addressed by updating the interactive installer to allow the user to reset the OS default login password, before proceeding to other system configuration screens like the host networking screen and before network connectivity for remote access to the host is actually enabled.

v1.7.0 and later include the necessary security fixes.

Workarounds

For environments that are dependent on the SUSE Virtualization 1.5 and 1.6 interactive installer, users should upgrade the clusters to SUSE Virtualization 1.7 and use the 1.7 installer to manage hosts. These versions allow users to reset the operating system's default administrative password before proceeding to other system configuration screens and before enabling network connectivity for remote host access.

Projects can also perform one of the following workarounds to mitigate the risk:

• If upgrading to v1.7.x is not an option, use the PXE boot mechanism along with a configuration file to define a secure password.
• Apply network security controls to limit access to the server from any untrusted location during bootstrapping. For example, ensure that port 22 is not exposed to the public internet until at least the default login password is changed to a secure value.

Resources

If users have any questions or comments about this advisory:

• Reach out to the SUSE Rancher Security team for security related inquiries.
• Open an issue in the Harvester repository.
• Verify with the support matrix and product support lifecycle.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv
• https://nvd.nist.gov/vuln/detail/CVE-2025-62877
• https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877
• https://github.com/harvester/harvester

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

harvester/harvester-installer (github.com/harvester/harvester-installer)

v1.6.0

Compare Source

What's Changed

• Bump OS v1.6-20250826 by @​harvesterhci-io-github-bot in #​1119

Full Changelog: harvester/harvester-installer@v1.6.0-rc6...v1.6.0

v1.5.2

Compare Source

What's Changed

• feat: bump rancher to v2.11.3 and rke2 to v1.32.7+rke2r1 by @​FrankYang0529 in #​1116
• Bump OS v1.5-20250903 by @​harvesterhci-io-github-bot in #​1131
• Bump OS v1.5-20250910 by @​harvesterhci-io-github-bot in #​1137
• Bump OS v1.5-20250917 by @​harvesterhci-io-github-bot in #​1146

Full Changelog: harvester/harvester-installer@v1.5.1...v1.5.2

---

Configuration

📅 Schedule: (in timezone Asia/Taipei)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: github.com/mudler/yip@v0.0.0-20211129144714-088f39125cf7 requires
	github.com/mudler/entities@v0.0.0-20211108084227-d1414478861b requires
	github.com/tredoe/osutil/v2@v2.0.0-rc.16: reading github.com/tredoe/osutil/go.mod at revision v2.0.0-rc.16: unknown revision v2.0.0-rc.16