{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:H/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-15T17:06:50", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/projectatomic/bubblewrap/issues/304"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"}, {"name": "openSUSE-SU-2019:1535", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"}, {"name": "openSUSE-SU-2019:1721", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"}, {"name": "RHSA-2019:1833", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1833"}, {"name": "GLSA-202006-18", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202006-18"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12439", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:H/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/projectatomic/bubblewrap/issues/304", "refsource": "MISC", "url": "https://github.com/projectatomic/bubblewrap/issues/304"}, {"name": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e", "refsource": "MISC", "url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"}, {"name": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3", "refsource": "MISC", "url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"}, {"name": "openSUSE-SU-2019:1535", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"}, {"name": "openSUSE-SU-2019:1721", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"}, {"name": "RHSA-2019:1833", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1833"}, {"name": "GLSA-202006-18", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202006-18"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:17:40.131Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/projectatomic/bubblewrap/issues/304"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"}, {"name": "openSUSE-SU-2019:1535", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"}, {"name": "openSUSE-SU-2019:1721", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"}, {"name": "RHSA-2019:1833", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1833"}, {"name": "GLSA-202006-18", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202006-18"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12439", "datePublished": "2019-05-29T14:42:08", "dateReserved": "2019-05-29T00:00:00", "dateUpdated": "2024-08-04T23:17:40.131Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:projectatomic:bubblewrap:*:*:*:*:*:*:*:*", "matchCriteriaId": "D39BE3CC-42B1-4008-A900-798FA1445831", "versionEndExcluding": "0.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."}, {"lang": "es", "value": "El archivo bubblewrap.c en Bubblewrap anterior de versi\u00f3n 0.3.3, utiliza de manera incorrecta directorios temporales en /tmp como un punto de montaje. En algunas configuraciones particulares (relacionadas con XDG_RUNTIME_DIR), un atacante local puede abusar de este defecto para prevenir que otros usuarios ejecuten bubblewrap o potencialmente ejecute c\u00f3digo."}], "id": "CVE-2019-12439", "lastModified": "2020-06-15T18:15:13.287", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.4, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2019-05-29T15:29:00.377", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00028.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00015.html"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1833"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/projectatomic/bubblewrap/commit/efc89e3b939b4bde42c10f065f6b7b02958ed50e"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/projectatomic/bubblewrap/issues/304"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202006-18"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "ansible-runner-0:1.3.4-2.el7ar", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "ansible-tower-0:3.5.0-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "bubblewrap-0:0.3.3-2.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "cfme-0:5.10.7.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "cfme-amazon-smartstate-0:5.10.7.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "cfme-appliance-0:5.10.7.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "cfme-gemset-0:5.10.7.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "ovirt-ansible-hosted-engine-setup-0:1.0.20-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "ovirt-ansible-image-template-0:1.1.11-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "ovirt-ansible-manageiq-0:1.1.14-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}, {"advisory": "RHSA-2019:1833", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "low", "package": "ovirt-ansible-vm-infra-0:1.1.18-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-07-24T00:00:00Z"}], "bugzilla": {"description": "bubblewrap: temporary directory misuse as mount point", "id": "1695963", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695963"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-377", "details": ["bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code."], "mitigation": {"lang": "en:us", "value": "The default setting of `fs.protected_symlinks = 1` prevents any Confidentiality or Integrity impact from exploiting this vulnerability, reducing its rating to Low severity (4.7/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)."}, "name": "CVE-2019-12439", "package_state": [{"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Affected", "impact": "low", "package_name": "bubblewrap", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "bubblewrap", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2019-03-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-12439\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12439"], "statement": "This flaw requires a local user account to exploit. Since local users without root privileges are not supported on Red Had CloudForms, or on Red Hat Ansible Tower, this vulnerability is rated Low severity on these products. Future updates may address this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "bubblewrap 0.3.3"}