{"containers": {"cna": {"affected": [{"product": "kernel", "vendor": "Linux kernel", "versions": [{"status": "affected", "version": "< 5.0.10"}]}], "descriptions": [{"lang": "en", "value": "The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "description": "CWE-362", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-667", "description": "CWE-667", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-14T17:20:08", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114"}, {"tags": ["x_refsource_MISC"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37"}, {"tags": ["x_refsource_MISC"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1790"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200608-0001/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14898"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.172Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1790"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200608-0001/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14898"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14898", "datePublished": "2020-05-08T13:50:58", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.172Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:5.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "BC04A270-6381-4956-B12B-4E970BB69149", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C60FA8B1-1802-4522-A088-22171DCF7A93", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls."}, {"lang": "es", "value": "La correcci\u00f3n para el CVE-2019-11599, que afectaba al kernel de Linux versiones anteriores a 5.0.10, no estaba completa. Un usuario local podr\u00eda usar este fallo para conseguir infomaci\u00f3n confidencial, causar una denegaci\u00f3n de servicio o posiblemente tener otros impactos no especificados al desencadenar una condici\u00f3n de carrera on llamadas de mmget_not_zero o get_task_mm."}], "id": "CVE-2019-14898", "lastModified": "2024-11-21T04:27:38.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-08T14:15:11.640", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1790"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14898"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20200608-0001/"}, {"source": "secalert@redhat.com", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1790"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14898"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20200608-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-667"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Vladis Dronov (Red Hat Engineering).", "affected_release": [{"advisory": "RHSA-2020:0375", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-1062.12.1.rt56.1042.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-02-04T00:00:00Z"}, {"advisory": "RHSA-2020:0374", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-1062.12.1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-02-04T00:00:00Z"}, {"advisory": "RHSA-2020:0328", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-147.5.1.rt24.98.el8_1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-02-04T00:00:00Z"}, {"advisory": "RHSA-2020:0339", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-147.5.1.el8_1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-02-04T00:00:00Z"}], "bugzilla": {"description": "kernel: incomplete fix for race condition between mmget_not_zero()/get_task_mm() and core dumping in CVE-2019-11599", "id": "1774671", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1774671"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-362->CWE-667", "details": ["The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.", "The fix for CVE-2019-11599 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2019-14898", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-alt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise MRG 2"}], "public_date": "2019-11-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14898\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14898\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1790\nhttps://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114\nhttps://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37\nhttps://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10"], "statement": "The Red Hat Enterprise Linux 7 kernel versions prior to Red Hat Enterprise Linux 7.7 GA kernel (version 3.10.0-1062 released via RHSA-2019:2029) were never affected by CVE-2019-14898 (ie the incomplete fix for CVE-2019-1159) because they never backported the incomplete fix for CVE-2019-11599 in the first place; CVE-2019-11599 was fixed there fully, ie backport consisted of both CVE-2019-11599 and CVE-2019-14898 patches.", "threat_severity": "Moderate"}