WebYaST Vulnerability in openSUSE Allows Local Privilege Escalation
CVE-2013-3709

Currently unrated

Key Information:

Vendor: Suse
Status: Studio Onsite; Suse Lifecycle Management Server; Webyast
Vendor: CVE Published:; 23 December 2013

Summary

The WebYaST 1.3 application in openSUSE has been identified to use inadequate permissions for the config/initializers/secret_token.rb file. This flaw creates a significant security risk, as it enables local users to read the Rails secret token stored within that file. Such access can lead to further privilege escalation within the system.

References

http://lists.opensuse.org/opensuse-security-announce/2013...

vendor-advisoryx_refsource_SUSE

http://lists.opensuse.org/opensuse-security-announce/2014...

vendor-advisoryx_refsource_SUSE

http://lists.opensuse.org/opensuse-security-announce/2013...

vendor-advisoryx_refsource_SUSE

Timeline

Vulnerability published
Dec 23, 2013
Vulnerability Reserved
May 30, 2013