CVE-2012-6119

Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2013-0686.html	Vendor Advisory
http://secunia.com/advisories/52774	Vendor Advisory
http://www.osvdb.org/91719
https://bugzilla.redhat.com/show_bug.cgi?id=908613
https://github.com/candlepin/candlepin/blob/master/candlepin.spec
https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin:0.4.5:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.11:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.27:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.5.5:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.6.3:::::::*
	cpe:2.3:a:redhat:subscription_asset_manager::::::::
	cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:::::::*
	cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:::::::*

History

No history.

Information

Published : 2013-04-02 22:55

Updated : 2013-04-03 04:00

NVD link : CVE-2012-6119

Mitre link : CVE-2012-6119

CVE.ORG link : CVE-2012-6119

JSON object : View

Products Affected

candlepinproject

candlepin

redhat

subscription_asset_manager

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2012-6119", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-04-02T22:55:01.237", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/52774", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.osvdb.org/91719", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908613", "source": "secalert@redhat.com"}, {"url": "https://github.com/candlepin/candlepin/blob/master/candlepin.spec", "source": "secalert@redhat.com"}, {"url": "https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c", "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests."}, {"lang": "es", "value": "Candlepin antes de v0.7.24, tal como se utiliza en el Administrador de Activos de Red Hat Suscripci\u00f3n antes de v1.2.1, no comprueba correctamente firmas de los manifest, que permite a usuarios locales modificarlos."}], "lastModified": "2013-04-03T04:00:00.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B1D9F06-42FF-43F3-9227-F1524BB8838B", "versionEndIncluding": "0.7.2"}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20B7A721-F0EC-4E44-A276-E849D06EA048"}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.4.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8ECDE2F9-B94F-4B8C-9D20-3A1C96729050"}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.4.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F8F8633-9313-42D8-B309-D81DF467FE11"}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.5.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A932DE3-11C2-4852-A803-73BB0DBDE22A"}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3878FE4-235F-4902-ABCE-CFDBD2C32964"}, {"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E20A0D71-54E5-4165-BE9F-5668B59622AB", "versionEndIncluding": "1.2.0"}, {"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1AEAC18-A40A-4F25-9C41-FD72F577292B"}, {"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CB43793-470F-4C24-AC75-A2555CA68A70"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}