CVE-2019-3695 Detail
Current Description
A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1.
Source: MITRE
View Analysis Description
Analysis Description
A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1.
Source: MITRE
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | NIST SUSE |
Known Affected Software Configurations Switch to CPE 2.2
Configuration 1 ( hide )
Configuration 2 ( hide )
Configuration 3 ( hide )
| cpe:2.3:a:opensuse:pcp:*:*:*:*:*:*:*:* Show Matching CPE(s) |
Up to (excluding) 3.11.9-6.14.1 |
|
| cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp4:*:*:*:*:*:* Show Matching CPE(s) |
||
| cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp5:*:*:*:*:*:* Show Matching CPE(s) |
||
Configuration 4 ( hide )
Change History
2 change records found – show changes
Initial Analysis – 3/6/2020 1:03:46 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration |
AND
OR
*cpe:2.3:a:opensuse:pcp:*:*:*:*:*:*:*:* versions up to (excluding) 3.11.9-5.8.1
OR
cpe:2.3:a:suse:linux_enterprise_high_performance_computing:15.0:*:*:*:espos:*:*:*
cpe:2.3:a:suse:linux_enterprise_high_performance_computing:15.0:*:*:*:ltss:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:ltss:*:*
cpe:2.3:o:suse:linux_enterprise_server:15:*:*:*:*:sap:*:*
|
|
| Added | CPE Configuration |
AND
OR
*cpe:2.3:a:opensuse:pcp:*:*:*:*:*:*:*:* versions up to (excluding) 3.11.9-6.14.1
OR
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp5:*:*:*:*:*:*
|
|
| Added | CPE Configuration |
AND
OR
*cpe:2.3:a:opensuse:pcp:*:*:*:*:*:*:*:* versions up to (excluding) 4.3.1-3.5.3
OR
cpe:2.3:o:suse:linux_enterprise_server:15:sp1:*:*:*:*:*:*
|
|
| Added | CPE Configuration |
AND
OR
*cpe:2.3:a:opensuse:pcp:*:*:*:*:*:*:*:* versions up to (excluding) 4.3.1-lp151.2.3.1
OR
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
|
|
| Added | CVSS V2 |
NIST (AV:L/AC:L/Au:N/C:C/I:C/A:C) |
|
| Added | CVSS V3.1 |
NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| Added | CWE |
NIST CWE-94 |
|
| Changed | Reference Type |
https://bugzilla.suse.com/show_bug.cgi?id=1152763 No Types Assigned |
https://bugzilla.suse.com/show_bug.cgi?id=1152763 Exploit, Issue Tracking, Vendor Advisory |
CVE Modified by MITRE – 3/3/2020 7:15:11 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 |
SUSE AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| Removed | CVSS V3.1 |
[email protected] AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| Added | CWE |
SUSE CWE-94 |
|
| Removed | CWE |
[email protected] CWE-94 |
|
| Changed | Description | Record truncated, showing 500 of 1565 characters. View Entire Change Record
A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Deve |
Record truncated, showing 500 of 1565 characters. View Entire Change Record
A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Deve |
Quick Info
CVE Dictionary Entry:
CVE-2019-3695
NVD Published Date:
03/03/2020
NVD Last Modified:
03/06/2020