Vulnerability CVE-2019-15523

Vulnerability Name:

CVE-2019-15523 (CCN-195015)

Assigned:

2019-08-23

Published:

2020-12-30

Updated:

2021-01-04

Summary:

An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-252

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2019-15523

Source: XF
Type: UNKNOWN
linbit-csync2-cve201915523-sec-bypass(195015)

Source: CCN
Type: csync2 GIT Repository
some security improvements #13

Source: CCN
Type: Debian Mailing List, Mon, 04 Jan 2021 16:49:43 +0000
DLA 2515-1] csync2 security update

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-15523

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:112123	P	csync2-2.0+git.1600444747.83b3644-1.3 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105660	P	Security update for binutils (Moderate)	2021-11-04
oval:org.opensuse.security:def:97030	P	postgresql-contrib-10-6.8 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:19608	P	Security update for csync2 (Moderate)	2021-06-10
oval:org.opensuse.security:def:4276	P	Security update for csync2 (Moderate)	2021-06-10
oval:org.opensuse.security:def:19515	P	Security update for csync2 (Moderate)	2021-06-10
oval:org.opensuse.security:def:19565	P	Security update for csync2 (Moderate)	2021-06-10
oval:org.opensuse.security:def:125097	P	Security update for csync2 (Moderate)	2021-06-10
oval:org.opensuse.security:def:111426	P	Security update for csync2 (Moderate)	2021-06-07
oval:org.opensuse.security:def:102860	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:91875	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:109526	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:8253	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:96170	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:118622	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:8319	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:98825	P	Security update for csync2 (Moderate)	2021-06-04
oval:org.opensuse.security:def:8360	P	Security update for csync2 (Moderate)	2021-06-04

BACK