CVE-2018-19636

Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
opensusesupportutils
𝑥
< 3.1-5.7.1
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
hostinfo
suse enterprise sap 12 SP2
1.0.1-19.5.1
fixed
suse enterprise sap 12 SP3
1.0.1-19.5.1
fixed
suse enterprise sap 12 SP4
1.0.1-19.5.1
fixed
suse enterprise server 12
1.0.1-19.5.1
fixed
suse enterprise server 12 SP1
1.0.1-19.5.1
fixed
suse enterprise server 12 SP2
1.0.1-19.5.1
fixed
suse enterprise server 12 SP3
1.0.1-19.5.1
fixed
suse enterprise server 12 SP4
1.0.1-19.5.1
fixed
supportutils
suse enterprise sap 12 SP2
3.0-95.21.1
fixed
suse enterprise sap 12 SP3
3.0-95.21.1
fixed
suse enterprise sap 12 SP4
3.0-95.21.1
fixed
suse enterprise server 12
3.0-95.21.1
fixed
suse enterprise server 12 SP1
3.0-95.21.1
fixed
suse enterprise server 12 SP2
3.0-95.21.1
fixed
suse enterprise server 12 SP3
3.0-95.21.1
fixed
suse enterprise server 12 SP4
3.0-95.21.1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html
https://bugzilla.suse.com/show_bug.cgi?id=1117751
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html
https://bugzilla.suse.com/show_bug.cgi?id=1117751