CVE-2019-18905 - OpenCVE

A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opensuse	Autoyast2
Suse	Linux Enterprise Server

Configuration 1 [-]

AND

cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*

cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*

cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html
https://bugzilla.suse.com/show_bug.cgi?id=1140711

History

No history.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2020-04-03T11:00:16.880502Z

Updated: 2024-09-17T02:52:07.503Z

Reserved: 2019-11-12T00:00:00

Link: CVE-2019-18905

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-03T11:15:12.743

Modified: 2020-05-23T00:15:12.550

Link: CVE-2019-18905

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SUSE Linux Enterprise Server 12", "vendor": "SUSE", "versions": [{"lessThanOrEqual": "4.1.9-3.9.1", "status": "affected", "version": "autoyast2", "versionType": "custom"}]}, {"product": "SUSE Linux Enterprise Server 15", "vendor": "SUSE", "versions": [{"lessThanOrEqual": "4.0.70-3.20.1", "status": "affected", "version": "autoyast2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Matthias Gerstner of SUSE"}], "datePublic": "2020-04-03T00:00:00", "descriptions": [{"lang": "en", "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-22T23:06:15", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"}, {"name": "openSUSE-SU-2020:0676", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1140711", "defect": ["1140711"], "discovery": "INTERNAL"}, "title": "Deprecated functionality in autoyast2 automatically imports gpg keys without checking them", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2020-04-03T00:00:00.000Z", "ID": "CVE-2019-18905", "STATE": "PUBLIC", "TITLE": "Deprecated functionality in autoyast2 automatically imports gpg keys without checking them"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SUSE Linux Enterprise Server 12", "version": {"version_data": [{"version_affected": "<=", "version_name": "autoyast2", "version_value": "4.1.9-3.9.1"}]}}, {"product_name": "SUSE Linux Enterprise Server 15", "version": {"version_data": [{"version_affected": "<=", "version_name": "autoyast2", "version_value": "4.0.70-3.20.1"}]}}]}, "vendor_name": "SUSE"}]}}, "credit": [{"lang": "eng", "value": "Matthias Gerstner of SUSE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-345: Insufficient Verification of Data Authenticity"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1140711", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"}, {"name": "openSUSE-SU-2020:0676", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1140711", "defect": ["1140711"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:02:39.805Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"}, {"name": "openSUSE-SU-2020:0676", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2019-18905", "datePublished": "2020-04-03T11:00:16.880502Z", "dateReserved": "2019-11-12T00:00:00", "dateUpdated": "2024-09-17T02:52:07.503Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*", "matchCriteriaId": "15FC9014-BD85-4382-9D04-C0703E901D7A", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*", "matchCriteriaId": "44A88954-B5F4-47A5-BB21-5F906D9A24BA", "versionEndIncluding": "4.1.9-3.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*", "matchCriteriaId": "70A029CD-2AC4-4877-B1A4-5C72B351BA27", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*", "matchCriteriaId": "2791981B-3387-463C-B622-49C1961AE7E2", "versionEndIncluding": "4.0.70-3.20.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de Verificaci\u00f3n Insuficiente de la Autenticidad de Datos en autoyast2 de SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, permite a atacantes remotos conexiones de tipo MITM cuando es usada la funcionalidad obsoleta y no utilizada autoyast para crear im\u00e1genes. Este problema afecta a: autoyast2 de SUSE Linux Enterprise Server 12 versi\u00f3n 4.1.9-3.9.1 y versiones anteriores. autoyast2 de SUSE Linux Enterprise Server 15 versi\u00f3n 4.0.70-3.20.1 y versiones anteriores."}], "id": "CVE-2019-18905", "lastModified": "2020-05-23T00:15:12.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2020-04-03T11:15:12.743", "references": [{"source": "meissner@suse.de", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"}, {"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-345"}], "source": "meissner@suse.de", "type": "Secondary"}]}