CVE-2013-3709
Severity CVSS v4.0:
Pending analysis
Type:
CWE-264
Permissions, Privileges, and Access Control
Publication date:
23/12/2013
Last modified:
11/04/2025
Description
WebYaST 1.3 uses weak permissions for config/initializers/secret_token.rb, which allows local users to gain privileges by reading the Rails secret token from this file.
Impact
Base Score 2.0
7.20
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:novell:suse_lifecycle_management_server:1.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:suse:studio_onsite:1.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:suse:webyast:1.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00001.html
- https://bugzilla.novell.com/show_bug.cgi?id=851116
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00001.html
- https://bugzilla.novell.com/show_bug.cgi?id=851116
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb