Vulnerability Details : CVE-2019-18905
A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions.
Products affected by CVE-2019-18905
- cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:autoyast2:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-18905
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-18905
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
2.2
|
2.5
|
SUSE | |
|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2019-18905
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by:
- meissner@suse.de (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-18905
-
https://bugzilla.suse.com/show_bug.cgi?id=1140711
Bug 1140711 – VUL-1: CVE-2019-18905: autoyast2: insecure use of --gpg-auto-import-keys?Issue Tracking;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00050.html
[security-announce] openSUSE-SU-2020:0676-1: moderate: Security update f
Jump to