Vulnerability CVE-2012-0420

Vulnerability Name:

CVE-2012-0420 (CCN-89677)

Assigned:

2012-07-10

Published:

2012-07-10

Updated:

2013-12-03

Summary:

zypp-refresh-wrapper in SUSE Zypper before 1.3.20 and 1.6.x before 1.6.166 allows local users to create files in arbitrary directories, or possibly have unspecified other impact, via a pathname in the ZYPP_LOCKFILE_ROOT environment variable.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2012-0420

Source: CCN
Type: Zypper Web site
Portal:Zypper - openSUS

Source: CCN
Type: Bugzilla Bug 770630
zypper: setuid wrapper links against libzypp

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.novell.com/show_bug.cgi?id=770630

Source: XF
Type: UNKNOWN
zypper-zypprefreshwrapper-sec-bypass(89677)

Source: CONFIRM
Type: Vendor Advisory
https://support.novell.com/security/cve/CVE-2012-0420.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:opensuse:zypper:0.11.6:*:*:*:*:*:*:*

OR cpe:/a:opensuse:zypper:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:opensuse:zypper:*:*:*:*:*:*:*:* (Version <= 1.2.8)

OR cpe:/a:opensuse:zypper:1.6.16:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20120420	V	CVE-2012-0420	2022-05-20
oval:org.opensuse.security:def:33749	P	Security update for webkit2gtk3 (Important)	2021-12-01
oval:org.opensuse.security:def:55258	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:33978	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:33710	P	Security update for file (Important)	2021-09-02
oval:org.opensuse.security:def:32993	P	Security update for libesmtp (Important)	2021-09-02
oval:org.opensuse.security:def:29411	P	Security update for cpio (Important)	2021-08-23
oval:org.opensuse.security:def:32982	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:55936	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:32981	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:33954	P	Security update for mariadb (Important)	2021-08-06
oval:org.opensuse.security:def:34495	P	Security update for lasso (Important)	2021-08-02
oval:org.opensuse.security:def:29388	P	Security update for ovmf (Important)	2021-06-22
oval:org.opensuse.security:def:34455	P	Security update for the Linux Kernel (Important)	2021-06-08
oval:org.opensuse.security:def:33661	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:33915	P	Security update for djvulibre (Important)	2021-05-31
oval:org.opensuse.security:def:33652	P	Security update for libxml2 (Important)	2021-05-19
oval:org.opensuse.security:def:34660	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:55855	P	Security update for MozillaFirefox (Important)	2021-03-01
oval:org.opensuse.security:def:33773	P	Security update for perl-XML-Twig (Moderate)	2021-03-01
oval:org.opensuse.security:def:29474	P	Security update for java-1_8_0-openjdk (Moderate)	2021-02-19
oval:org.opensuse.security:def:34022	P	Security update for openvswitch (Important)	2021-02-15
oval:org.opensuse.security:def:33072	P	Security update for openvswitch (Important)	2021-02-12
oval:org.opensuse.security:def:29257	P	Security update for tomcat6 (Important)	2020-12-01
oval:org.opensuse.security:def:33604	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:28588	P	Security update for Mozilla NSS	2020-12-01
oval:org.opensuse.security:def:28983	P	Security update for vorbis-tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:27174	P	libapr1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29531	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:29269	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:55743	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:34700	P	Security update for zypper	2020-12-01
oval:org.opensuse.security:def:27377	P	boost-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29823	P	Security update for java-1_6_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:33198	P	logrotate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29564	P	Security update for OpenEXR (Moderate)	2020-12-01
oval:org.opensuse.security:def:27600	P	Security update for apache2-mod_security2	2020-12-01
oval:org.opensuse.security:def:29929	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:54412	P	yast2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33507	P	Security update for OpenSSL	2020-12-01
oval:org.opensuse.security:def:29706	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:33207	P	mozilla-nspr-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27853	P	Security update for php53 (Moderate)	2020-12-01
oval:org.opensuse.security:def:30648	P	Security update for zypper	2020-12-01
oval:org.opensuse.security:def:54575	P	libmusicbrainz4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33809	P	Security update for ghostscript-library (Moderate)	2020-12-01
oval:org.opensuse.security:def:30406	P	Security update for xorg-x11-libs	2020-12-01
oval:org.opensuse.security:def:29188	P	Security update for mysql (Important)	2020-12-01
oval:org.opensuse.security:def:33447	P	Security update for GhostScript	2020-12-01
oval:org.opensuse.security:def:27950	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:28972	P	Recommended update for python-setuptools (Moderate)	2020-12-01
oval:org.opensuse.security:def:55092	P	dia on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27173	P	libapr-util1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29183	P	Security update for mutt (Important)	2020-12-01
oval:org.opensuse.security:def:55651	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:27249	P	ntp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29769	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:33817	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:33187	P	libtiff3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27516	P	mozilla-nspr-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29911	P	Security update for libapr-util1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:33412	P	Security update for Salt (Moderate)	2020-12-01
oval:org.opensuse.security:def:29667	P	Security update for dbus-1 (Important)	2020-12-01
oval:org.opensuse.security:def:57286	P	Security update for zypper	2020-12-01
oval:org.opensuse.security:def:27804	P	Security update for libpng	2020-12-01
oval:org.opensuse.security:def:30611	P	Security update for squid3	2020-12-01
oval:org.opensuse.security:def:54435	P	colord on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29768	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:29177	P	Security update for microcode_ctl (Important)	2020-12-01
oval:org.opensuse.security:def:33359	P	Security update for openssl1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27906	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:28971	P	Security update for postgresql94 (Important)	2020-12-01
oval:org.opensuse.security:def:54986	P	pidgin-plugin-otr on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28623	P	Security update for zypper	2020-12-01
oval:org.opensuse.security:def:29052	P	Security update for bind (Critical)	2020-12-01
oval:org.opensuse.security:def:55543	P	Security update for augeas (Moderate)	2020-12-01
oval:org.opensuse.security:def:27185	P	libgcc_s1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29616	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:33186	P	libtevent0-x86 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29326	P	Security update for clamsap (Moderate)	2020-12-01
oval:org.opensuse.security:def:55817	P	Security update for systemd (Important)	2020-12-01
oval:org.opensuse.security:def:27459	P	libmikmod on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29872	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:33277	P	unrar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29618	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:57212	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:27751	P	Security update for giflib (Moderate)	2020-12-01
oval:org.opensuse.security:def:29973	P	Security update for librsvg (Important)	2020-12-01
oval:org.opensuse.security:def:54413	P	yast2-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33564	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:29724	P	Security update for MozillaFirefox, mozilla-nspr (Important)	2020-12-01
oval:org.opensuse.security:def:29176	P	Security update for microcode_ctl (Important)	2020-12-01
oval:org.opensuse.security:def:33302	P	xorg-x11-libxcb-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27892	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:54813	P	java-1_7_0-openjdk-plugin on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33866	P	Security update for jasper (Important)	2020-12-01
oval:org.opensuse.security:def:30443	P	Security update for zypper	2020-12-01
oval:org.opensuse.security:def:79920	P	Security update for zypper	2012-07-10

BACK