Vulnerability CVE-2018-15869

Vulnerability Name:

CVE-2018-15869 (CCN-148909)

Assigned:

2018-08-13

Published:

2018-08-13

Updated:

2019-10-03

Summary:

An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-732

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2018-15869

Source: BID
Type: Third Party Advisory, VDB Entry
105172

Source: CCN
Type: BID-105172
Amazon AWS Command Line Interface CVE-2018-15869 Security Bypass Vulnerability

Source: CCN
Type: Amazon Web site
Amazon Web Services (AWS)

Source: XF
Type: UNKNOWN
amazon-cve201815869-weak-security(148909)

Source: CCN
Type: GitHub Web site
Make "owners" field of source_ami_filter required: RFC #6584

Source: MISC
Type: Third Party Advisory
https://github.com/hashicorp/packer/issues/6584

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-15869

Vulnerable Configuration:

Configuration 1:

cpe:/a:hashicorp:packer:*:*:*:*:*:*:*:* (Version < 1.3.0)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201815869	V	CVE-2018-15869	2022-09-02
oval:org.opensuse.security:def:3450	P	ceph-common-12.2.12+git.1568024032.02236657ca-2.39.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95080	P	aws-cli-1.20.7-30.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1459	P	Security update for the Linux Kernel (Live Patch 14 for SLE 15 SP3) (Important)	2022-03-29
oval:org.opensuse.security:def:948	P	Security update for polkit (Moderate)	2022-02-18
oval:org.opensuse.security:def:111994	P	aws-cli-1.20.7-2.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:60424	P	Security update for the Linux Kernel (Important)	2021-12-01
oval:org.opensuse.security:def:59824	P	Security update for webkit2gtk3 (Important)	2021-11-23
oval:org.opensuse.security:def:64590	P	Security update for rpm (Important)	2021-10-15
oval:org.opensuse.security:def:105555	P	aws-cli-1.20.7-2.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:71264	P	libipa_hbac-devel-1.16.1-3.18.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71377	P	python3-numpy-1.14.0-4.5.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:59528	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:59524	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:47484	P	python-pywbem-0.7.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48170	P	libpcsclite1-1.8.10-7.6.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14051	P	update-alternatives-1.18.4-14.216 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47930	P	yast2-3.2.48-3.29.20 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14243	P	libjbig2-2.0-12.13 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13986	P	mozilla-nspr-32bit-4.12-15.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14188	P	libQt5Concurrent5-5.6.2-5.9 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47605	P	evince-3.20.2-6.22.9 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13896	P	libevent-2_0-5-2.0.21-4.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47469	P	perl-XML-LibXML-2.0019-5.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14070	P	yast2-3.1.206-36.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14916	P	guestfs-data-1.32.4-21.3.10 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47470	P	perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14894	P	gdk-pixbuf-lang-2.34.0-19.17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13888	P	libarchive13-3.1.2-22.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48022	P	gnome-keyring-3.20.0-28.3.18 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14256	P	libmodplug1-0.8.8.4-13.63 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14033	P	socat-1.7.2.4-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47798	P	libtirpc-netconfig-1.0.1-17.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14232	P	libgypsy0-0.9-6.22 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13918	P	libjpeg-turbo-1.3.1-30.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14163	P	gv-3.7.4-1.36 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:2033	P	aws-cli-1.18.117-8.11.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63122	P	aws-cli-1.18.117-8.11.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:100893	P	libXvnc1-1.9.0-19.9.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:59777	P	Security update for mariadb (Important)	2021-08-06
oval:org.opensuse.security:def:68024	P	Security update for the Linux Kernel (Live Patch 23 for SLE 15 SP1) (Important)	2021-07-27
oval:org.opensuse.security:def:60308	P	Security update for MozillaFirefox (Important)	2021-07-16
oval:org.opensuse.security:def:66849	P	Security update for the Linux Kernel (Important)	2021-06-30
oval:org.opensuse.security:def:38712	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:48697	P	libuuid-devel-2.25-6.69 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48595	P	perl-Config-IniFiles-2.82-3.12 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48384	P	clamav-0.99.2-25.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48626	P	strongswan-5.1.3-22.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48468	P	libXi6-1.7.4-9.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48530	P	libopenssl-devel-1.0.2j-55.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:60267	P	Security update for postgresql13 (Moderate)	2021-05-27
oval:org.opensuse.security:def:1463	P	Security update for djvulibre (Important)	2021-05-19
oval:org.opensuse.security:def:66757	P	Security update for webkit2gtk3 (Important)	2021-04-29
oval:org.opensuse.security:def:70205	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:64677	P	Security update for tar (Low)	2021-03-29
oval:org.opensuse.security:def:94180	P	(Moderate)	2021-01-29
oval:org.opensuse.security:def:59709	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:117117	P	aws-cli-1.18.38-8.8.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:90022	P	aws-cli-1.16.61-6.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107559	P	aws-cli-1.18.38-8.8.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63108	P	aws-cli-1.16.61-6.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2019	P	aws-cli-1.16.61-6.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63112	P	aws-cli-1.18.38-8.8.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2023	P	aws-cli-1.18.38-8.8.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103677	P	aws-cli-1.16.61-6.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:60567	P	wpa_supplicant on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49850	P	ocaml on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59343	P	Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60640	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:38684	P	libjasper1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49900	P	aws-cli on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37991	P	libxmltooling6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60945	P	Security update for shibboleth-sp (Moderate)	2020-12-01
oval:org.opensuse.security:def:59344	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:38537	P	aaa_base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37895	P	libicu-doc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60078	P	Security update for vim (Moderate)	2020-12-01
oval:org.opensuse.security:def:60758	P	Security update for aws-cli (Moderate)	2020-12-01
oval:org.opensuse.security:def:60520	P	python-doc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73540	P	aws-cli on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59120	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:37896	P	libidn-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60009	P	Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:73422	P	libgme-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38287	P	libfreebl3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60904	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:49904	P	aws-cli on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60685	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:67924	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39394	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:60729	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:61025	P	Security update for aws-cli (Moderate)	2020-12-01
oval:org.opensuse.security:def:38128	P	apache2-mod_nss on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60782	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:59366	P	Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)	2020-12-01
oval:org.opensuse.security:def:38596	P	fuse on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60602	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:59276	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:38645	P	libXinerama1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70100	P	libmms-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37907	P	libkpathsea6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49846	P	libtool-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59097	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:38377	P	libssh4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60995	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:59960	P	Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:39436	P	Security update for aws-cli (Moderate)	2020-12-01
oval:org.opensuse.security:def:60679	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:59098	P	Security update for dovecot22 (Important)	2020-12-01
oval:org.opensuse.security:def:38756	P	ntp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38229	P	java-1_8_0-ibm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60866	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:84478	P	Security update for aws-cli (Moderate)	2020-01-28
oval:org.opensuse.security:def:84024	P	Security update for aws-cli (Moderate)	2020-01-28
oval:com.ubuntu.disco:def:2018158690000000	V	CVE-2018-15869 on Ubuntu 19.04 (disco) - medium.	2018-08-25
oval:com.ubuntu.bionic:def:2018158690000000	V	CVE-2018-15869 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-25
oval:com.ubuntu.bionic:def:201815869000	V	CVE-2018-15869 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-24
oval:com.ubuntu.cosmic:def:2018158690000000	V	CVE-2018-15869 on Ubuntu 18.10 (cosmic) - medium.	2018-08-24
oval:com.ubuntu.cosmic:def:201815869000	V	CVE-2018-15869 on Ubuntu 18.10 (cosmic) - medium.	2018-08-24
oval:com.ubuntu.trusty:def:201815869000	V	CVE-2018-15869 on Ubuntu 14.04 LTS (trusty) - medium.	2018-08-24
oval:com.ubuntu.xenial:def:2018158690000000	V	CVE-2018-15869 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-24
oval:com.ubuntu.xenial:def:201815869000	V	CVE-2018-15869 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-24

BACK