Vulnerability CVE-2018-20105

Vulnerability Name:

CVE-2018-20105 (CCN-175718)

Assigned:

2018-12-18

Published:

2018-12-18

Updated:

2020-02-27

Summary:

A Inclusion of Sensitive Information in Log Files vulnerability in yast2-rmt of SUSE Linux Enterprise Server 15; openSUSE Leap allows local attackers to learn the password if they can access the log file. This issue affects: SUSE Linux Enterprise Server 15 yast2-rmt versions prior to 1.2.2. openSUSE Leap yast2-rmt versions prior to 1.2.2.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-532

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2018-20105

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2020:0253

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2020:0320

Source: CCN
Type: Bugzilla - Bug 1119835
(CVE-2018-20105) VUL-0: CVE-2018-20105: yast2-rmt: CA private key passhrase exposed in log-file

Source: CONFIRM
Type: Exploit, Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1119835

Source: XF
Type: UNKNOWN
suse-cve201820105-info-disc(175718)

Source: CCN
Type: SUSE Web site
Open Source Solutions for Enterprise Servers, Cloud & Storage

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-20105

Vulnerable Configuration:

Configuration 1:

cpe:/a:yast2-rmt_project:yast2-rmt:*:*:*:*:*:*:*:* (Version < 1.2.2)

Configuration 2:

cpe:/o:opensuse:leap:15.0:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:suse:linux_enterprise_server:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:52004	P	Security update for net-snmp (Moderate)	2023-01-12
oval:org.opensuse.security:def:636	P	Security update for nodejs16 (Important) (in QA)	2022-09-29
oval:org.opensuse.security:def:201820105	V	CVE-2018-20105	2022-09-02
oval:org.opensuse.security:def:94254	P	(Moderate)	2022-07-06
oval:org.opensuse.security:def:3536	P	kbd-2.0.4-8.10.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95166	P	yast2-rmt-1.3.2-3.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1667	P	Security update for rsyslog (Important)	2022-05-09
oval:org.opensuse.security:def:113618	P	yast2-rmt-1.3.3-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:74740	P	Security update for go1.17 (Moderate)	2021-10-20
oval:org.opensuse.security:def:107000	P	yast2-rmt-1.3.3-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:4221	P	Security update for gd (Moderate)	2021-09-27
oval:org.opensuse.security:def:4155	P	Security update for grilo (Important)	2021-09-23
oval:org.opensuse.security:def:63241	P	stunnel-5.44-1.29 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:4151	P	Security update for libaom (Important)	2021-09-09
oval:org.opensuse.security:def:64572	P	Security update for xerces-c (Important)	2021-09-06
oval:org.opensuse.security:def:4148	P	Security update for libass (Important)	2021-08-20
oval:org.opensuse.security:def:51635	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:70279	P	Security update for djvulibre (Important)	2021-08-20
oval:org.opensuse.security:def:51634	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:64553	P	Security update for cpio (Important)	2021-08-16
oval:org.opensuse.security:def:63463	P	binutils-gold-2.35.1-7.18.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101412	P	yast2-rmt-1.3.2-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2297	P	yast2-rmt-1.3.2-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63386	P	yast2-rmt-1.3.2-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63444	P	nping-7.70-3.12.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62789	P	libid3tag0-0.15.1b-3.14 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62742	P	flatpak-1.10.2-4.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72753	P	perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62761	P	ibus-chewing-1.6.1-1.53 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62738	P	eog-3.34.2-1.46 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62745	P	fwupd-1.5.8-1.13 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62757	P	gvfs-1.42.2-4.24 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62770	P	libXinerama1-32bit-1.1.3-1.22 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100967	P	librrd8-1.7.0-4.34 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62764	P	libIlmImf-2_2-23-2.2.1-3.24.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:4144	P	Security update for webkit2gtk3 (Important)	2021-08-03
oval:org.opensuse.security:def:51929	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:4141	P	Security update for caribou (Important)	2021-07-20
oval:org.opensuse.security:def:4203	P	Security update for ffmpeg (Important)	2021-07-14
oval:org.opensuse.security:def:66831	P	Security update for java-1_8_0-openjdk (Moderate)	2021-06-17
oval:org.opensuse.security:def:51900	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:64514	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:4128	P	Security update for libass (Moderate)	2021-05-20
oval:org.opensuse.security:def:64495	P	Security update for the Linux Kernel (Important)	2021-05-12
oval:org.opensuse.security:def:64684	P	Security update for java-11-openjdk (Important)	2021-05-11
oval:org.opensuse.security:def:73614	P	Security update for java-11-openjdk (Important)	2021-05-11
oval:org.opensuse.security:def:74626	P	Security update for xorg-x11-server (Important)	2021-04-13
oval:org.opensuse.security:def:4118	P	Security update for fwupd (Important)	2021-04-08
oval:org.opensuse.security:def:51533	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-04-07
oval:org.opensuse.security:def:4116	P	Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (Important)	2021-04-07
oval:org.opensuse.security:def:64665	P	Security update for openssl-1_1 (Moderate)	2021-03-09
oval:org.opensuse.security:def:51737	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:51719	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-02-10
oval:org.opensuse.security:def:66923	P	Security update for openvswitch (Important)	2021-02-03
oval:org.opensuse.security:def:69518	P	Security update for openvswitch (Important)	2021-02-02
oval:org.opensuse.security:def:51895	P	Security update for dovecot22 (Important)	2021-01-04
oval:org.opensuse.security:def:51099	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:70174	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:51094	P	Security update for spice-gtk (Important)	2020-12-16
oval:org.opensuse.security:def:69413	P	Security update for xen (Important)	2020-12-04
oval:org.opensuse.security:def:3946	P	libXres-devel-1.0.7-3.53 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4029	P	libpcrecpp0-8.39-8.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4023	P	libopus-devel-1.1-3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117191	P	yast2-rmt-1.3.0-1.43 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4043	P	libraptor-devel-2.0.10-3.63 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3934	P	libX11-devel-1.6.2-12.5.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4017	P	libnettle-devel-2.7.1-12.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63260	P	dpdk-19.11.1-1.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63312	P	yast2-rmt-1.3.0-1.43 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62948	P	dpkg-1.19.0.4-2.30 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4101	P	obs-service-appimage-0.10.6.1551887937.e42c270-1.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63591	P	libpurple-2.13.0-3.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107633	P	yast2-rmt-1.3.0-1.43 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4031	P	libplist++-devel-1.12-20.3.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4245	P	typelib-1_0-Gtk-2_0-2.24.31-9.6.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3986	P	libguestfs-devel-1.32.4-21.3.10 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62967	P	ncurses-devel-32bit-6.1-5.6.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4045	P	librelp-devel-1.2.12-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63610	P	bogofilter-common-1.2.4-1.40 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2223	P	yast2-rmt-1.3.0-1.43 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3926	P	krb5-devel-1.12.5-40.37.7 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4085	P	libzip-devel-0.11.1-13.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4255	P	Security update for the Linux Kernel (Live Patch 2 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:4897	P	Security update for dpdk (Critical)	2020-12-02
oval:org.opensuse.security:def:4252	P	Security update for the Linux Kernel (Live Patch 8 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:4814	P	Security update for yast2-rmt (Moderate)	2020-12-02
oval:org.opensuse.security:def:4259	P	Security update for the Linux Kernel (Live Patch 7 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:4918	P	Security update for yast2-rmt (Moderate)	2020-12-02
oval:org.opensuse.security:def:4793	P	Security update for bind (Important)	2020-12-02
oval:org.opensuse.security:def:66182	P	Security update for yast2-rmt (Moderate)	2020-12-01
oval:org.opensuse.security:def:72871	P	Security update for yast2-rmt (Moderate)	2020-12-01
oval:org.opensuse.security:def:64412	P	libzmq5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53280	P	Security update for dhcp (Moderate)	2020-12-01
oval:org.opensuse.security:def:50563	P	Security update for libqt5-qtbase (Moderate)	2020-12-01
oval:org.opensuse.security:def:64168	P	Security update for sane-backends (Important)	2020-12-01
oval:org.opensuse.security:def:50444	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:63820	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:50108	P	yast2-rmt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51823	P	Security update for liblouis (Moderate)	2020-12-01
oval:org.opensuse.security:def:50832	P	Security update for libproxy (Important)	2020-12-01
oval:org.opensuse.security:def:64286	P	kernel-default on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51263	P	Security update for gstreamer-plugins-base (Important)	2020-12-01
oval:org.opensuse.security:def:51825	P	Security update for bluez (Moderate)	2020-12-01
oval:org.opensuse.security:def:66090	P	Security update for SUSE Manager 4.0 (Critical)	2020-12-01
oval:org.opensuse.security:def:73496	P	cvs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50541	P	Security update for unzip (Moderate)	2020-12-01
oval:org.opensuse.security:def:63839	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:53245	P	Security update for yast2-rmt (Moderate)	2020-12-01
oval:org.opensuse.security:def:50443	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:50931	P	Security update for python-ecdsa (Moderate)	2020-12-01
oval:org.opensuse.security:def:64305	P	libXinerama-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50054	P	dhcp-relay on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50599	P	Security update for bluez (Moderate)	2020-12-01
oval:org.opensuse.security:def:64285	P	kdump on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74607	P	Security update for pdns (Moderate)	2020-12-01
oval:org.opensuse.security:def:51362	P	Security update for perl (Moderate)	2020-12-01
oval:org.opensuse.security:def:51791	P	Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc (Important)	2020-12-01
oval:org.opensuse.security:def:53349	P	Security update for yast2-rmt (Moderate)	2020-12-01
oval:org.opensuse.security:def:50540	P	Security update for libqt5-qtsvg (Moderate)	2020-12-01
oval:org.opensuse.security:def:74759	P	Security update for yast2-rmt (Moderate)	2020-12-01
oval:org.opensuse.security:def:64393	P	libthai-data on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53176	P	Initial update for kernel-azure (Moderate)	2020-12-01
oval:org.opensuse.security:def:50696	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:64304	P	libXi-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50466	P	Security update for lua53 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64149	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:51198	P	Security update for SDL2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:50995	P	Security update for spice-gtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:110421	P	Security update for yast2-rmt (Moderate)	2020-03-08
oval:org.opensuse.security:def:105425	P	Security update for yast2-rmt (Moderate)	2020-03-03
oval:org.opensuse.security:def:98735	P	Security update for yast2-rmt (Moderate)	2020-03-03
oval:org.opensuse.security:def:91785	P	Security update for yast2-rmt (Moderate)	2020-03-03
oval:org.opensuse.security:def:110402	P	Security update for yast2-rmt (Moderate)	2020-02-27

BACK