CVE-2019-3687 - OpenCVE

The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Suse	Linux Enterprise Server

Configuration 1 [-]

cpe:2.3:o:suse:linux_enterprise_server:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html
https://bugzilla.suse.com/show_bug.cgi?id=1148788

History

No history.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2020-01-24T08:25:14.454947Z

Updated: 2024-09-16T20:16:49.597Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3687

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-24T09:15:13.047

Modified: 2020-03-05T01:15:10.787

Link: CVE-2019-3687

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SUSE Linux Enterprise Server", "vendor": "SUSE", "versions": [{"lessThan": "081d081dcfaf61710bda34bc21c80c66276119aa", "status": "affected", "version": "permissions", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Malte Kraus of SUSE"}], "datePublic": "2019-08-30T00:00:00", "descriptions": [{"lang": "en", "value": "The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the \"easy\" permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-05T00:06:01", "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1148788"}, {"name": "openSUSE-SU-2020:0302", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html"}], "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1148788", "defect": ["1148788"], "discovery": "INTERNAL"}, "title": "\"easy\" permission profile allows everyone execute dumpcap and read all network traffic", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@suse.com", "DATE_PUBLIC": "2019-08-30T00:00:00.000Z", "ID": "CVE-2019-3687", "STATE": "PUBLIC", "TITLE": "\"easy\" permission profile allows everyone execute dumpcap and read all network traffic"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SUSE Linux Enterprise Server", "version": {"version_data": [{"version_affected": "<", "version_name": "permissions", "version_value": "081d081dcfaf61710bda34bc21c80c66276119aa"}]}}]}, "vendor_name": "SUSE"}]}}, "credit": [{"lang": "eng", "value": "Malte Kraus of SUSE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the \"easy\" permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276: Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1148788", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1148788"}, {"name": "openSUSE-SU-2020:0302", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html"}]}, "source": {"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1148788", "defect": ["1148788"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:16.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1148788"}, {"name": "openSUSE-SU-2020:0302", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html"}]}]}, "cveMetadata": {"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "assignerShortName": "suse", "cveId": "CVE-2019-3687", "datePublished": "2020-01-24T08:25:14.454947Z", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-09-16T20:16:49.597Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "36904958-A9D5-44E0-9404-28221FE1274A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the \"easy\" permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa."}, {"lang": "es", "value": "El paquete de permisos en SUSE Linux Enterprise Server, permiti\u00f3 a todos los usuarios locales ejecutar dumpcap en el perfil de permisos \"easy\" y detectar el tr\u00e1fico de red. Este problema afecta: SUSE Linux Enterprise Server versiones de permisos de a partir de 85c83fef7e017f8ab7f8602d3163786d57344439 hasta 081d081dcfaf61710bda34bc21c80c66276119aa."}], "id": "CVE-2019-3687", "lastModified": "2020-03-05T01:15:10.787", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2020-01-24T09:15:13.047", "references": [{"source": "meissner@suse.de", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html"}, {"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1148788"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "meissner@suse.de", "type": "Secondary"}]}