CVE-2018-19639

Description

If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root.

CVSS breakdown

CVSS 3.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

SUSE / supportutilsunspecified – 3.1-5.7.1

References

MISChttps://bugzilla.suse.com/show_bug.cgi?id=1118462
MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html