CVE-2018-15912 - OpenCVE

An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Manjaro	Manjaro Linux

Configuration 1 [-]

cpe:2.3:o:manjaro:manjaro_linux:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a
https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-08-29T19:00:00

Updated: 2024-08-05T10:10:05.136Z

Reserved: 2018-08-28T00:00:00

Link: CVE-2018-15912

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-08-29T19:29:00.967

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-15912

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-08-28T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-29T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a"}, {"name": "[manjaro-security] 20180828 [MSA-201808-1] Local PrivEsc, ACE, and DoS vulnerability in manjaro-system 20180716-1 and earlier", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-15912", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a", "refsource": "CONFIRM", "url": "https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a"}, {"name": "[manjaro-security] 20180828 [MSA-201808-1] Local PrivEsc, ACE, and DoS vulnerability in manjaro-system 20180716-1 and earlier", "refsource": "MLIST", "url": "https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:10:05.136Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a"}, {"name": "[manjaro-security] 20180828 [MSA-201808-1] Local PrivEsc, ACE, and DoS vulnerability in manjaro-system 20180716-1 and earlier", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-15912", "datePublished": "2018-08-29T19:00:00", "dateReserved": "2018-08-28T00:00:00", "dateUpdated": "2024-08-05T10:10:05.136Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:manjaro:manjaro_linux:*:*:*:*:*:*:*:*", "matchCriteriaId": "D032981B-29C2-459E-9378-2EAB31AD54F4", "versionEndIncluding": "20180716-1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system."}, {"lang": "es", "value": "Se ha descubierto un problema en manjaro-update-system.sh en manjaro-system 20180716-1 en Manjaro Linux. Un atacante local puede instalar o eliminar paquetes arbitrarios y repositorios de paquetes que podr\u00edan contener enlaces con c\u00f3digo arbitrario, que se ejecutar\u00e1n autom\u00e1ticamente como root, o eliminar paquetes fundamentales para el sistema."}], "id": "CVE-2018-15912", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-29T19:29:00.967", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.manjaro.org/packages/core/manjaro-system/commit/8208b8a"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "url": "https://lists.manjaro.org/pipermail/manjaro-security/2018-August/000785.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}