wicked: Use-after-free when receiving invalid DHCP6 IA_PD option

CVE-2019-18903

7.5HIGH

Key Information

Vendor: Suse
Status: Suse Linux Enterprise Server 12; Suse Linux Enterprise Server 15; Leap 15.1; Factory
Vendor: CVE Published:; 2 March 2020

Summary

A Use After Free vulnerability in wicked of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Leap 15.1, Factory allows remote attackers to cause DoS or potentially code execution. This issue affects: SUSE Linux Enterprise Server 12 wicked versions prior to 0.6.60-2.18.1. SUSE Linux Enterprise Server 15 wicked versions prior to 0.6.60-28.26.1. openSUSE Leap 15.1 wicked versions prior to 0.6.60-lp151.2.9.1. openSUSE Factory wicked versions prior to 0.6.62.

Affected Version(s)

SUSE Linux Enterprise Server 12 < 0.6.60-2.18.1

SUSE Linux Enterprise Server 15 < 0.6.60-28.26.1

Leap 15.1 < 0.6.60-lp151.2.9.1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 9.8 to: 7.5 - (HIGH)
Feb 22, 2024
Vulnerability published.
Mar 2, 2020
Vulnerability Reserved.
Nov 12, 2019

Collectors

NVD DatabaseMitre Database

Credit

Malte Kraus