CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20297 – NetworkManager: Profile with match.path setting triggers crash
https://notcve.org/view.php?id=CVE-2021-20297
A flaw was found in NetworkManager in versions before 1.30.0. Setting match.path and activating a profile crashes NetworkManager. The highest threat from this vulnerability is to system availability. Se encontró un fallo en NetworkManager en versiones anteriores a 1.30.0. Ajustando el archivo match.path y activando un perfil bloquea NetworkManager. • https://bugzilla.redhat.com/show_bug.cgi?id=1943282 https://access.redhat.com/security/cve/CVE-2021-20297 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10754 – NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
https://notcve.org/view.php?id=CVE-2020-10754
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely. Se encontró que nmcli, una interfaz de línea de comandos para NetworkManager no respetaba las configuraciones 802-1x.ca-path y 802-1x.phase2-ca-path, cuando se crea un nuevo perfil. Cuando un usuario se conecta a una red usando este perfil, la autenticación no ocurre y la conexión se realiza de forma no segura A flaw was found in nmcli, where the command-line interface to the NetworkManager did not accept the 802-1x.ca-path and 802-1x.phase2-ca-path settings when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and an insecure connection occurs. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10754 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44FTVXWKDYIAMOOP2PZMUY3D2QNWAVBZ https://access.redhat.com/security/cve/CVE-2020-10754 https://bugzilla.redhat.com/show_bug.cgi?id=1841041 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2012-1096 – GNOME NetworkManager 0.x - Local Arbitrary File Access
https://notcve.org/view.php?id=CVE-2012-1096
NetworkManager 0.9 and earlier allows local users to use other users' certificates or private keys when making a connection via the file path when adding a new connection. NetworkManager versiones 0.9 y anteriores, permiten a usuarios locales utilizar certificados privados o claves privadas de otros usuarios cuando se realiza una conexión mediante la ruta del archivo al agregar una nueva conexión. • https://www.exploit-db.com/exploits/36887 http://www.openwall.com/lists/oss-security/2012/03/02/3 https://access.redhat.com/security/cve/cve-2012-1096 https://bugzilla.gnome.org/show_bug.cgi?id=793329 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1096 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-1096 https://security-tracker.debian.org/tracker/CVE-2012-1096 • CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 3CVE-2006-7246
https://notcve.org/view.php?id=CVE-2006-7246
NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used. NetworkManager versiones 0.9.x, no fija un asunto del certificado en un ESSID cuando es usada la autenticación 802.11X. • http://www.openwall.com/lists/oss-security/2010/04/22/2 https://bugzilla.gnome.org/show_bug.cgi?id=341323 https://bugzilla.novell.com/show_bug.cgi?id=574266 https://lwn.net/Articles/468868 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000135
https://notcve.org/view.php?id=CVE-2018-1000135
GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN. This vulnerability appears to have been fixed in Some Ubuntu 16.04 packages were fixed, but later updates removed the fix. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 an upstream fix does not appear to be available at this time. GNOME NetworkManager, en versiones 1.10.2 y anteriores, contiene una vulnerabilidad de exposición de información (CWE-200) en la resolución DNS que puede resultar en el filtrado de consultas DNS privadas en los servidores DNS de las redes locales mientras se está en una VPN. Aparentemente, esta vulnerabilidad ha sido solucionada en algunos paquetes de Ubuntu 16.04, pero las posteriores actualizaciones eliminaron esta solución. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 no parece que exista actualmente una solución ascendente. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00005.html http://www.securityfocus.com/bid/103478 https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671 https://bugzilla.gnome.org/show_bug.cgi?id=746422 https://bugzilla.redhat.com/show_bug.cgi?id=1553634 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •