cnvd - cnvd-2018-04640

CNVD-2018-04640

Vulnerability from cnvd - Published: 2018-03-08

Title

commandline package update tool zypper代理证书写入日志文件漏洞

Description

commandline package update tool zypper是一款用于更新zypper包的命令行工具。 commandline package update tool zypper中存在安全漏洞，该漏洞源于程序将HTTP代理凭证写入日志中。本地攻击者可利用该漏洞获取代理的访问权限。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.suse.com/

Reference

https://bugzilla.suse.com/show_bug.cgi?id=1050625 https://www.suse.com/de-de/security/cve/CVE-2017-9271/

Impacted products

Name
['Novell SUSE Linux Enterprise Desktop 12 SP2', 'Novell SUSE Linux Enterprise Server 11 SP3 LTSS', 'Novell SUSE Linux Enterprise Server 11 SP4', 'Novell SUSE Linux Enterprise Server 12 GA LTSS', 'Novell SUSE Linux Enterprise Server 12 SP1 LTSS', 'Novell SUSE Linux Enterprise Server 12 SP2', 'Novell SUSE Linux Enterprise Server 12 SP3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9271"
    }
  },
  "description": "commandline package update tool zypper\u662f\u4e00\u6b3e\u7528\u4e8e\u66f4\u65b0zypper\u5305\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002\r\n\r\ncommandline package update tool zypper\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06HTTP\u4ee3\u7406\u51ed\u8bc1\u5199\u5165\u65e5\u5fd7\u4e2d\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4ee3\u7406\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "Mario Biberhofer",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.suse.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04640",
  "openTime": "2018-03-08",
  "products": {
    "product": [
      "Novell SUSE Linux Enterprise Desktop 12 SP2",
      "Novell SUSE Linux Enterprise Server  11 SP3 LTSS",
      "Novell SUSE Linux Enterprise Server  11 SP4",
      "Novell SUSE Linux Enterprise Server  12 GA LTSS",
      "Novell SUSE Linux Enterprise Server  12 SP1 LTSS",
      "Novell SUSE Linux Enterprise Server  12 SP2",
      "Novell SUSE Linux Enterprise Server  12 SP3"
    ]
  },
  "referenceLink": "https://bugzilla.suse.com/show_bug.cgi?id=1050625\r\nhttps://www.suse.com/de-de/security/cve/CVE-2017-9271/",
  "serverity": "\u4f4e",
  "submitTime": "2018-03-05",
  "title": "commandline package update tool zypper\u4ee3\u7406\u8bc1\u4e66\u5199\u5165\u65e5\u5fd7\u6587\u4ef6\u6f0f\u6d1e"
}

CVE-2017-9271 (GCVE-0-2017-9271)

Vulnerability from cvelistv5 – Published: 2018-03-01 19:00 – Updated: 2024-09-16 23:26

Summary

The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.

Severity ?

4 (Medium)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

Proxy credentials are writting into logfiles
CVE-532

Assigner

microfocus

References

URL

Tags

	https://www.suse.com/de-de/security/cve/CVE-2017-9271/	x_refsource_CONFIRM
	https://bugzilla.suse.com/show_bug.cgi?id=1050625	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	SUSE	zypper	Affected: n/a

Credits

Mario Biberhofer

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:02:44.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
          },
          {
            "name": "FEDORA-2021-ebc1c35c5d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zypper",
          "vendor": "SUSE",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mario Biberhofer"
        }
      ],
      "datePublic": "2018-03-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Proxy credentials are writting into logfiles",
              "lang": "en",
              "type": "text"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "CVE-532",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-13T03:06:06",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
        },
        {
          "name": "FEDORA-2021-ebc1c35c5d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/"
        }
      ],
      "source": {
        "defect": [
          "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "proxy credentials written to log files by zypper",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "DATE_PUBLIC": "2018-03-01T00:00:00.000Z",
          "ID": "CVE-2017-9271",
          "STATE": "PUBLIC",
          "TITLE": "proxy credentials written to log files by zypper"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "zypper",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SUSE"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Mario Biberhofer"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Proxy credentials are writting into logfiles"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CVE-532"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/",
              "refsource": "CONFIRM",
              "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271/"
            },
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=1050625",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
            },
            {
              "name": "FEDORA-2021-ebc1c35c5d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG/"
            }
          ]
        },
        "source": {
          "defect": [
            "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2017-9271",
    "datePublished": "2018-03-01T19:00:00Z",
    "dateReserved": "2017-05-29T00:00:00",
    "dateUpdated": "2024-09-16T23:26:26.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-04640

CVE-2017-9271 (GCVE-0-2017-9271)

Tags

Sightings

Nomenclature