CVE-2012-6119 - OpenCVE

Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Candlepinproject	Candlepin
Redhat	Subscription Asset Manager

Configuration 1 [-]

OR	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin:0.4.5:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.11:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.4.27:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.5.5:::::::*
	cpe:2.3:a:candlepinproject:candlepin:0.6.3:::::::*
	cpe:2.3:a:redhat:subscription_asset_manager::::::::
	cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:::::::*
	cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:::::::*

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2013-0686.html	Vendor Advisory
http://secunia.com/advisories/52774	Vendor Advisory
http://www.osvdb.org/91719
https://bugzilla.redhat.com/show_bug.cgi?id=908613
https://github.com/candlepin/candlepin/blob/master/candlepin.spec
https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-04-02T22:00:00Z

Updated: 2013-04-02T22:00:00Z

Reserved: 2012-12-06T00:00:00Z

Link: CVE-2012-6119

JSON object: View

NVD Information

Status : Analyzed

Published: 2013-04-02T22:55:01.237

Modified: 2013-04-03T04:00:00.000

Link: CVE-2012-6119

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B1D9F06-42FF-43F3-9227-F1524BB8838B", "versionEndIncluding": "0.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "20B7A721-F0EC-4E44-A276-E849D06EA048", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "8ECDE2F9-B94F-4B8C-9D20-3A1C96729050", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.4.27:*:*:*:*:*:*:*", "matchCriteriaId": "2F8F8633-9313-42D8-B309-D81DF467FE11", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "8A932DE3-11C2-4852-A803-73BB0DBDE22A", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:0.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "E3878FE4-235F-4902-ABCE-CFDBD2C32964", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E20A0D71-54E5-4165-BE9F-5668B59622AB", "versionEndIncluding": "1.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1AEAC18-A40A-4F25-9C41-FD72F577292B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CB43793-470F-4C24-AC75-A2555CA68A70", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests."}, {"lang": "es", "value": "Candlepin antes de v0.7.24, tal como se utiliza en el Administrador de Activos de Red Hat Suscripci\u00f3n antes de v1.2.1, no comprueba correctamente firmas de los manifest, que permite a usuarios locales modificarlos."}], "id": "CVE-2012-6119", "lastModified": "2013-04-03T04:00:00.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-04-02T22:55:01.237", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0686.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52774"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/91719"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=908613"}, {"source": "secalert@redhat.com", "url": "https://github.com/candlepin/candlepin/blob/master/candlepin.spec"}, {"source": "secalert@redhat.com", "url": "https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}