cnvd - cnvd-2018-04640

cnvd-2018-04640

Vulnerability from cnvd

Title: commandline package update tool zypper代理证书写入日志文件漏洞

Description:

commandline package update tool zypper是一款用于更新zypper包的命令行工具。

commandline package update tool zypper中存在安全漏洞，该漏洞源于程序将HTTP代理凭证写入日志中。本地攻击者可利用该漏洞获取代理的访问权限。

Severity: 低

Formal description:

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.suse.com/

Reference: https://bugzilla.suse.com/show_bug.cgi?id=1050625 https://www.suse.com/de-de/security/cve/CVE-2017-9271/

Impacted products

Name
['Novell SUSE Linux Enterprise Desktop 12 SP2', 'Novell SUSE Linux Enterprise Server 11 SP3 LTSS', 'Novell SUSE Linux Enterprise Server 11 SP4', 'Novell SUSE Linux Enterprise Server 12 GA LTSS', 'Novell SUSE Linux Enterprise Server 12 SP1 LTSS', 'Novell SUSE Linux Enterprise Server 12 SP2', 'Novell SUSE Linux Enterprise Server 12 SP3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9271"
    }
  },
  "description": "commandline package update tool zypper\u662f\u4e00\u6b3e\u7528\u4e8e\u66f4\u65b0zypper\u5305\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002\r\n\r\ncommandline package update tool zypper\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06HTTP\u4ee3\u7406\u51ed\u8bc1\u5199\u5165\u65e5\u5fd7\u4e2d\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4ee3\u7406\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "Mario Biberhofer",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.suse.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04640",
  "openTime": "2018-03-08",
  "products": {
    "product": [
      "Novell SUSE Linux Enterprise Desktop 12 SP2",
      "Novell SUSE Linux Enterprise Server  11 SP3 LTSS",
      "Novell SUSE Linux Enterprise Server  11 SP4",
      "Novell SUSE Linux Enterprise Server  12 GA LTSS",
      "Novell SUSE Linux Enterprise Server  12 SP1 LTSS",
      "Novell SUSE Linux Enterprise Server  12 SP2",
      "Novell SUSE Linux Enterprise Server  12 SP3"
    ]
  },
  "referenceLink": "https://bugzilla.suse.com/show_bug.cgi?id=1050625\r\nhttps://www.suse.com/de-de/security/cve/CVE-2017-9271/",
  "serverity": "\u4f4e",
  "submitTime": "2018-03-05",
  "title": "commandline package update tool zypper\u4ee3\u7406\u8bc1\u4e66\u5199\u5165\u65e5\u5fd7\u6587\u4ef6\u6f0f\u6d1e"
}

CVE-2017-9271 (GCVE-0-2017-9271)

Vulnerability from cvelistv5

Published

2018-03-01 19:00

Modified

2024-09-16 23:26

Severity ?

4.0 (Medium) - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

Proxy credentials are writting into logfiles
CVE-532

Summary

The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.

References

▼	URL	Tags
	https://www.suse.com/de-de/security/cve/CVE-2017-9271/	x_refsource_CONFIRM
	https://bugzilla.suse.com/show_bug.cgi?id=1050625	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	SUSE	zypper	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:02:44.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
          },
          {
            "name": "FEDORA-2021-ebc1c35c5d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zypper",
          "vendor": "SUSE",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mario Biberhofer"
        }
      ],
      "datePublic": "2018-03-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Proxy credentials are writting into logfiles",
              "lang": "en",
              "type": "text"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "CVE-532",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-13T03:06:06",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
        },
        {
          "name": "FEDORA-2021-ebc1c35c5d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/"
        }
      ],
      "source": {
        "defect": [
          "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "proxy credentials written to log files by zypper",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "DATE_PUBLIC": "2018-03-01T00:00:00.000Z",
          "ID": "CVE-2017-9271",
          "STATE": "PUBLIC",
          "TITLE": "proxy credentials written to log files by zypper"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "zypper",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SUSE"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Mario Biberhofer"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Proxy credentials are writting into logfiles"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CVE-532"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/",
              "refsource": "CONFIRM",
              "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/"
            },
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=1050625",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
            },
            {
              "name": "FEDORA-2021-ebc1c35c5d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/"
            }
          ]
        },
        "source": {
          "defect": [
            "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2017-9271",
    "datePublished": "2018-03-01T19:00:00Z",
    "dateReserved": "2017-05-29T00:00:00",
    "dateUpdated": "2024-09-16T23:26:26.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted