Code execution if run with command line switch -v
CVE-2018-19639

6.7MEDIUM

Key Information:

Vendor: Suse
Status: Supportutils
Vendor: CVE Published:; 5 March 2019

Summary

If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root.

Affected Version(s)

supportutils < 3.1-5.7.1

References

https://bugzilla.suse.com/show_bug.cgi?id=1118462

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2019...

vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2019
Vulnerability Reserved
Nov 28, 2018

Credit

Johannes Segitz of SUSE