CVE-2019-18905

A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html
https://bugzilla.suse.com/show_bug.cgi?id=1140711	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-04-03 11:15

Updated : 2024-02-04 21:00

NVD link : CVE-2019-18905

Mitre link : CVE-2019-18905

CVE.ORG link : CVE-2019-18905

JSON object : View

Products Affected

suse

linux_enterprise_server

opensuse

autoyast2

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2019-18905", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "meissner@suse.de", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2020-04-03T11:15:12.743", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html", "source": "meissner@suse.de"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "meissner@suse.de"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "meissner@suse.de", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de Verificaci\u00f3n Insuficiente de la Autenticidad de Datos en autoyast2 de SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, permite a atacantes remotos conexiones de tipo MITM cuando es usada la funcionalidad obsoleta y no utilizada autoyast para crear im\u00e1genes. Este problema afecta a: autoyast2 de SUSE Linux Enterprise Server 12 versi\u00f3n 4.1.9-3.9.1 y versiones anteriores. autoyast2 de SUSE Linux Enterprise Server 15 versi\u00f3n 4.0.70-3.20.1 y versiones anteriores."}], "lastModified": "2020-05-23T00:15:12.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44A88954-B5F4-47A5-BB21-5F906D9A24BA", "versionEndIncluding": "4.1.9-3.9.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "15FC9014-BD85-4382-9D04-C0703E901D7A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2791981B-3387-463C-B622-49C1961AE7E2", "versionEndIncluding": "4.0.70-3.20.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "70A029CD-2AC4-4877-B1A4-5C72B351BA27"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "meissner@suse.de"}