CVE-2019-18905

Severity CVSS v4.0:

Pending analysis

Type:

CWE-345 Insufficient Verification of Data Authenticity

Publication date:

03/04/2020

Last modified:

23/05/2020

Description

A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): None

Base Score 3.x

5.90

Severity 3.x

MEDIUM

Vector 2.0

AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS v2.0 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Medium
Authentication (Au): None
Confidentiality (C): None
Integrity (I): Physical
Availability (A): None

Base Score 2.0

4.30

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:opensuse:autoyast2::::::::		4.1.9-3.9.1 (including)
cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
cpe:2.3:a:opensuse:autoyast2::::::::		4.0.70-3.20.1 (including)
cpe:2.3:o:suse:linux_enterprise_server:15:::::::*

To consult the complete list of CPE names with products and versions, see this page

CVE-2019-18905

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools