Vulnerability CVE-2019-3685

Vulnerability Name:

CVE-2019-3685 (CCN-170994)

Assigned:

2019-07-23

Published:

2019-07-23

Updated:

2019-11-08

Summary:

Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary

CVSS v3 Severity:

7.7 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): Low

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.9 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-295

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-3685

Source: CCN
Type: Bugzilla - Bug 1142518
VUL-0: CVE-2019-3685: osc: inadequate TLS certificate validation for HTTPS connections

Source: CONFIRM
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1142518

Source: XF
Type: UNKNOWN
osc-cve20193685-mitm(170994)

Source: CCN
Type: Open Build Service Web site
Open Build Service

Vulnerable Configuration:

Configuration 1:

cpe:/a:opensuse:open_build_service:*:*:*:*:*:*:*:* (Version < 0.165.4)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20193685	V	CVE-2019-3685	2023-06-22
oval:org.opensuse.security:def:8048	P	osc-0.182.0-150100.3.32.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3022	P	axis-1.4-290.6.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3012	P	apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3413	P	yast2-users-3.2.19-1.16 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95043	P	osc-0.172.0-3.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1411	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important)	2022-02-01
oval:org.opensuse.security:def:113076	P	osc-0.174.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106513	P	Security update for java-1_8_0-ibm (Important) (in QA)	2022-01-04
oval:org.opensuse.security:def:63195	P	apache2-mod_nss-1.0.17-1.28 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:74310	P	Security update for ghostscript (Critical)	2021-09-15
oval:org.opensuse.security:def:2341	P	libgstaudio-1_0-0-32bit-1.16.2-2.12 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63057	P	libmunge2-0.5.14-11.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2332	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2328	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2297	P	yast2-rmt-1.3.2-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2374	P	binutils-gold-2.35.1-7.18.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2372	P	vpx-tools-1.6.1-6.6.8 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2367	P	rsvg-view-2.42.8-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63421	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2361	P	python2-SQLAlchemy-1.2.14-6.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:100862	P	java-11-openjdk-11.0.10.0-3.53.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101287	P	osc-0.172.0-3.26.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72748	P	osc-0.172.0-3.26.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71851	P	ldb-tools-2.2.1-1.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71967	P	libtasn1-4.13-4.5.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1940	P	osc-0.172.0-3.26.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63029	P	osc-0.172.0-3.26.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:66828	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:48959	P	openconnect-7.08-1.27 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48833	P	gcc48-gij-32bit-4.8.5-30.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62855	P	guile-2.0.14-3.18 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48815	P	raptor-2.0.10-3.67 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48814	P	python-devel-2.7.9-24.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:68511	P	Security update for postgresql13 (Moderate)	2021-05-27
oval:org.opensuse.security:def:68614	P	Security update for python-httplib2 (Moderate)	2021-05-19
oval:org.opensuse.security:def:66736	P	Security update for opensc (Moderate)	2021-04-13
oval:org.opensuse.security:def:65267	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:73401	P	Security update for webkit2gtk3 (Important)	2020-12-17
oval:org.opensuse.security:def:73519	P	Security update for gcc10, nvptx-tools (Moderate)	2020-12-04
oval:org.opensuse.security:def:62376	P	docker-19.03.5_ce-6.31.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72689	P	osc-0.168.2-3.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117086	P	osc-0.168.2-3.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62375	P	containerd-1.2.10-5.19.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107528	P	osc-0.168.2-3.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62576	P	libpotrace0-1.15-3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94149	P	osc-0.168.2-3.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1881	P	osc-0.168.2-3.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2316	P	apache-commons-fileupload-1.4-1.63 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62399	P	conky-1.10.6-1.46 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62970	P	osc-0.168.2-3.15.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2306	P	apache-commons-beanutils-1.9.2-2.46 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2301	P	jakarta-commons-fileupload-1.1.1-2.82 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:70079	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50046	P	apache2-mod_apparmor on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49883	P	pam-modules on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:65177	P	Security update for libopenmpt (Moderate)	2020-12-01
oval:org.opensuse.security:def:74184	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:64090	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:49793	P	ocaml on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64244	P	ecryptfs-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63988	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:49559	P	libmicrohttpd-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49852	P	osc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50015	P	libspice-server-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63882	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:49402	P	flatpak on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49798	P	perl-Archive-Extract on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63748	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:51457	P	Security update for osc (Important)	2020-12-01
oval:org.opensuse.security:def:49306	P	procmail on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64132	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:70184	P	osc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49162	P	libcontainers-common on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51395	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:50119	P	apache2-mod_php7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49950	P	guestfs-data on GA media (Moderate)	2020-12-01
oval:com.ubuntu.disco:def:201936850000000	V	CVE-2019-3685 on Ubuntu 19.04 (disco) - medium.	2019-11-05
oval:com.ubuntu.bionic:def:201936850000000	V	CVE-2019-3685 on Ubuntu 18.04 LTS (bionic) - medium.	2019-11-05
oval:com.ubuntu.xenial:def:201936850000000	V	CVE-2019-3685 on Ubuntu 16.04 LTS (xenial) - medium.	2019-11-05
oval:org.opensuse.security:def:109934	P	Security update for osc (Important)	2019-08-12
oval:org.opensuse.security:def:90625	P	Security update for osc (Important)	2019-08-06
oval:org.opensuse.security:def:97590	P	Security update for osc (Important)	2019-08-06
oval:org.opensuse.security:def:104280	P	Security update for osc (Important)	2019-08-06

BACK