Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for autoyast2 by opensuse

    CVE-2019-18905 (GCVE-0-2019-18905)

    Vulnerability from nvd – Published: 2020-04-03 11:00 – Updated: 2024-09-17 02:52
    VLAI
    Title
    Deprecated functionality in autoyast2 automatically imports gpg keys without checking them
    Summary
    A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    Impacted products
    Vendor Product Version
    SUSE SUSE Linux Enterprise Server 12 Affected: autoyast2 , ≤ 4.1.9-3.9.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 Affected: autoyast2 , ≤ 4.0.70-3.20.1 (custom)
    Create a notification for this product.
    Date Public
    2020-04-03 00:00
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:02:39.805Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"
              },
              {
                "name": "openSUSE-SU-2020:0676",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SUSE Linux Enterprise Server 12",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.9-3.9.1",
                  "status": "affected",
                  "version": "autoyast2",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "SUSE Linux Enterprise Server 15",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.70-3.20.1",
                  "status": "affected",
                  "version": "autoyast2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2020-04-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-05-22T23:06:15.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"
            },
            {
              "name": "openSUSE-SU-2020:0676",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1140711",
            "defect": [
              "1140711"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Deprecated functionality in autoyast2 automatically imports gpg keys without checking them",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@suse.com",
              "DATE_PUBLIC": "2020-04-03T00:00:00.000Z",
              "ID": "CVE-2019-18905",
              "STATE": "PUBLIC",
              "TITLE": "Deprecated functionality in autoyast2 automatically imports gpg keys without checking them"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SUSE Linux Enterprise Server 12",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "autoyast2",
                                "version_value": "4.1.9-3.9.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SUSE Linux Enterprise Server 15",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "autoyast2",
                                "version_value": "4.0.70-3.20.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SUSE"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Matthias Gerstner of SUSE"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-345: Insufficient Verification of Data Authenticity"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.suse.com/show_bug.cgi?id=1140711",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"
                },
                {
                  "name": "openSUSE-SU-2020:0676",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"
                }
              ]
            },
            "source": {
              "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1140711",
              "defect": [
                "1140711"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2019-18905",
        "datePublished": "2020-04-03T11:00:16.880Z",
        "dateReserved": "2019-11-12T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:52:07.503Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-18905 (GCVE-0-2019-18905)

    Vulnerability from cvelistv5 – Published: 2020-04-03 11:00 – Updated: 2024-09-17 02:52
    VLAI
    Title
    Deprecated functionality in autoyast2 automatically imports gpg keys without checking them
    Summary
    A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    Impacted products
    Vendor Product Version
    SUSE SUSE Linux Enterprise Server 12 Affected: autoyast2 , ≤ 4.1.9-3.9.1 (custom)
    Create a notification for this product.
    SUSE SUSE Linux Enterprise Server 15 Affected: autoyast2 , ≤ 4.0.70-3.20.1 (custom)
    Create a notification for this product.
    Date Public
    2020-04-03 00:00
    Credits
    Matthias Gerstner of SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:02:39.805Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"
              },
              {
                "name": "openSUSE-SU-2020:0676",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SUSE Linux Enterprise Server 12",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.9-3.9.1",
                  "status": "affected",
                  "version": "autoyast2",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "SUSE Linux Enterprise Server 15",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.70-3.20.1",
                  "status": "affected",
                  "version": "autoyast2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Matthias Gerstner of SUSE"
            }
          ],
          "datePublic": "2020-04-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-05-22T23:06:15.000Z",
            "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            "shortName": "suse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"
            },
            {
              "name": "openSUSE-SU-2020:0676",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"
            }
          ],
          "source": {
            "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1140711",
            "defect": [
              "1140711"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Deprecated functionality in autoyast2 automatically imports gpg keys without checking them",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@suse.com",
              "DATE_PUBLIC": "2020-04-03T00:00:00.000Z",
              "ID": "CVE-2019-18905",
              "STATE": "PUBLIC",
              "TITLE": "Deprecated functionality in autoyast2 automatically imports gpg keys without checking them"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SUSE Linux Enterprise Server 12",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "autoyast2",
                                "version_value": "4.1.9-3.9.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SUSE Linux Enterprise Server 15",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "autoyast2",
                                "version_value": "4.0.70-3.20.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SUSE"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Matthias Gerstner of SUSE"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-345: Insufficient Verification of Data Authenticity"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.suse.com/show_bug.cgi?id=1140711",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.suse.com/show_bug.cgi?id=1140711"
                },
                {
                  "name": "openSUSE-SU-2020:0676",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html"
                }
              ]
            },
            "source": {
              "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1140711",
              "defect": [
                "1140711"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "assignerShortName": "suse",
        "cveId": "CVE-2019-18905",
        "datePublished": "2020-04-03T11:00:16.880Z",
        "dateReserved": "2019-11-12T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:52:07.503Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }