| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.0 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as critical has been discovered in SuSE Linux Enterprise Server. This affects an unknown part of the component autoyast2. The manipulation results in data authenticity. This vulnerability was named CVE-2019-18905. The attack may be performed from remote. There is no available exploit. It is advisable to implement a patch to correct this issue.
Details
A vulnerability classified as critical has been found in SuSE Linux Enterprise Server (Operating System) (affected version unknown). Affected is an unknown functionality of the component autoyast2. The manipulation with an unknown input leads to a data authenticity vulnerability. CWE is classifying the issue as CWE-345. The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.
The weakness was presented 04/03/2020 as Bug 1140711 as not defined bug report (Bugzilla). The advisory is shared for download at bugzilla.suse.com. This vulnerability is traded as CVE-2019-18905 since 11/12/2019. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.
Applying a patch is able to eliminate this problem.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
License
Website
- Vendor: https://www.suse.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.1VulDB Meta Temp Score: 5.0
VulDB Base Score: 5.6
VulDB Temp Score: 5.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 4.8
NVD Vector: 🔍
CNA Base Score: 4.8
CNA Vector (SUSE): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Data authenticityCWE: CWE-345
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Timeline
11/12/2019 🔍04/03/2020 🔍
04/04/2020 🔍
05/13/2024 🔍
Sources
Vendor: suse.comAdvisory: Bug 1140711
Status: Not defined
Confirmation: 🔍
CVE: CVE-2019-18905 (🔍)
GCVE (CVE): GCVE-0-2019-18905
GCVE (VulDB): GCVE-100-152748
Entry
Created: 04/04/2020 13:31Updated: 05/13/2024 16:05
Changes: 04/04/2020 13:31 (40), 04/04/2020 13:36 (12), 10/07/2020 12:24 (1), 05/13/2024 16:05 (33)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.