Vulnerability CVE-2019-18905

Vulnerability Name:

CVE-2019-18905 (CCN-182041)

Assigned:

2019-07-08

Published:

2019-07-08

Updated:

2020-05-23

Summary:

A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-345

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2019-18905

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2020:0676

Source: CCN
Type: Bugzilla Bug 1140711
(CVE-2019-18905) VUL-1: CVE-2019-18905: autoyast2: insecure use of --gpg-auto-import-keys?

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1140711

Source: XF
Type: UNKNOWN
suse-cve201918905-mitm(182041)

Source: CCN
Type: SUSE Web site
Digital Event: Learn from Technical Experts

Vulnerable Configuration:

Configuration 1:

cpe:/a:opensuse:autoyast2:*:*:*:*:*:*:*:* (Version <= 4.1.9-3.9.1)

AND

cpe:/o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*

Configuration 2:

cpe:/a:opensuse:autoyast2:*:*:*:*:*:*:*:* (Version <= 4.0.70-3.20.1)

AND

cpe:/o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*

OR cpe:/o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201918905	V	CVE-2019-18905	2023-06-22
oval:org.opensuse.security:def:7443	P	autoyast2-4.5.13-150500.1.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:612	P	Security update for rubygem-tzinfo (Important)	2022-07-29
oval:org.opensuse.security:def:94501	P	autoyast2-4.4.36-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2871	P	autoyast2-4.4.36-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:12	P	autoyast2-4.3.77-1.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:1666	P	Security update for libvirt (Moderate)	2022-05-05
oval:org.opensuse.security:def:941	P	Security update for tiff (Important)	2022-02-17
oval:org.opensuse.security:def:111991	P	autoyast2-4.4.16-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64628	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:68301	P	Security update for the Linux Kernel (Live Patch 14 for SLE 15 SP2) (Important)	2021-11-17
oval:org.opensuse.security:def:64798	P	Security update for the Linux Kernel (Important)	2021-11-11
oval:org.opensuse.security:def:74740	P	Security update for go1.17 (Moderate)	2021-10-20
oval:org.opensuse.security:def:105552	P	autoyast2-4.4.16-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:69704	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:48198	P	libsqlite3-0-3.8.10.2-9.12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48184	P	libqt4-32bit-4.8.7-8.8.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48319	P	systemtap-3.0-20.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48183	P	libqpdf18-7.1.1-3.3.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:63374	P	sca-patterns-sle12-1.0.2-1.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62030	P	autoyast2-4.3.77-1.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100788	P	autoyast2-4.3.77-1.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71771	P	autoyast2-4.3.77-1.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:68201	P	Security update for the Linux Kernel (Important)	2021-07-14
oval:org.opensuse.security:def:64526	P	Security update for libjpeg-turbo (Moderate)	2021-06-11
oval:org.opensuse.security:def:48644	P	w3m-0.5.3-157.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48884	P	rhythmbox-3.4-6.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62875	P	perl-YAML-LibYAML-0.59-1.16 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62871	P	perl-DNS-LDNS-1.7.0-2.22 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48512	P	libjpeg-turbo-1.3.1-30.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62878	P	subversion-bash-completion-1.10.0-1.24 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48736	P	libjavascriptcoregtk-1_0-0-2.4.8-16.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64686	P	Security update for openvpn (Moderate)	2021-05-12
oval:org.opensuse.security:def:100381	P	(Moderate)	2021-03-11
oval:org.opensuse.security:def:69599	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:64282	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:49053	P	raptor-2.0.10-3.67 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62903	P	jython-2.2.1-4.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2304	P	tomcat-9.0.5-1.34 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71541	P	libXtst-devel-1.2.3-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71442	P	autoyast2-4.2.37-1.6 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71654	P	libxslt-devel-1.1.32-3.8.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:48999	P	java-1_7_0-openjdk-plugin-1.6.2-2.8.3 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:116605	P	autoyast2-4.2.37-1.6 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63081	P	java-1_8_0-openjdk-1.8.0.242-3.30.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63577	P	gnome-photos-3.26.3-4.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:93668	P	autoyast2-4.2.37-1.6 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107047	P	autoyast2-4.2.37-1.6 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61701	P	autoyast2-4.2.37-1.6 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:64418	P	mozilla-nspr-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64867	P	Security update for python-SQLAlchemy (Important)	2020-12-01
oval:org.opensuse.security:def:49244	P	libthai-data on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74873	P	Security update for autoyast2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:49340	P	sysstat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49182	P	libjpeg8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63724	P	Security update for glib2 (Important)	2020-12-01
oval:org.opensuse.security:def:50741	P	Security update for autoyast2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:66256	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:64419	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64954	P	Security update for autoyast2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:72921	P	Security update for haproxy (Moderate)	2020-12-01
oval:org.opensuse.security:def:49309	P	python3-PyYAML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49098	P	gdk-pixbuf-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73039	P	autoyast2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50687	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:49411	P	gstreamer-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63953	P	Security update for ed (Low)	2020-12-01
oval:org.opensuse.security:def:66348	P	autoyast2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:110535	P	Security update for autoyast2 (Moderate)	2020-05-22
oval:org.opensuse.security:def:90280	P	Security update for autoyast2 (Moderate)	2020-05-18
oval:org.opensuse.security:def:103935	P	Security update for autoyast2 (Moderate)	2020-05-18

BACK