CVE-2012-6119

Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2013-0686.html	Vendor Advisory
http://secunia.com/advisories/52774	Vendor Advisory
https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c
https://github.com/candlepin/candlepin/blob/master/candlepin.spec
http://www.osvdb.org/91719
https://bugzilla.redhat.com/show_bug.cgi?id=908613

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:candlepinproject:candlepin:0.5.5:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.27:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.11:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.5:::::::*
	cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:::::::*
	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:redhat:subscription_asset_manager::::::::
	cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.6.3:::::::*

Information

Published : 2013-04-02 15:55

Updated : 2013-04-02 21:00

NVD link : CVE-2012-6119

Mitre link : CVE-2012-6119

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Advertisement

Products Affected

candlepinproject

candlepin

redhat

subscription_asset_manager

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html", "name": "RHSA-2013:0686", "tags": ["Vendor Advisory"], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/52774", "name": "52774", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c", "name": "https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c", "tags": [], "refsource": "CONFIRM"}, {"url": "https://github.com/candlepin/candlepin/blob/master/candlepin.spec", "name": "https://github.com/candlepin/candlepin/blob/master/candlepin.spec", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.osvdb.org/91719", "name": "91719", "tags": [], "refsource": "OSVDB"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908613", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=908613", "tags": [], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-6119", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-04-02T22:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:0.5.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:0.4.27:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:0.4.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:0.4.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "0.7.2"}, {"cpe23Uri": "cpe:2.3:a:redhat:subscription_asset_manager:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.2.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:0.6.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2013-04-03T04:00Z"}