CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20297 – NetworkManager: Profile with match.path setting triggers crash
https://notcve.org/view.php?id=CVE-2021-20297
A flaw was found in NetworkManager in versions before 1.30.0. Setting match.path and activating a profile crashes NetworkManager. The highest threat from this vulnerability is to system availability. Se encontró un fallo en NetworkManager en versiones anteriores a 1.30.0. Ajustando el archivo match.path y activando un perfil bloquea NetworkManager. • https://bugzilla.redhat.com/show_bug.cgi?id=1943282 https://access.redhat.com/security/cve/CVE-2021-20297 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10754 – NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
https://notcve.org/view.php?id=CVE-2020-10754
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely. Se encontró que nmcli, una interfaz de línea de comandos para NetworkManager no respetaba las configuraciones 802-1x.ca-path y 802-1x.phase2-ca-path, cuando se crea un nuevo perfil. Cuando un usuario se conecta a una red usando este perfil, la autenticación no ocurre y la conexión se realiza de forma no segura A flaw was found in nmcli, where the command-line interface to the NetworkManager did not accept the 802-1x.ca-path and 802-1x.phase2-ca-path settings when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and an insecure connection occurs. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10754 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44FTVXWKDYIAMOOP2PZMUY3D2QNWAVBZ https://access.redhat.com/security/cve/CVE-2020-10754 https://bugzilla.redhat.com/show_bug.cgi?id=1841041 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 3CVE-2006-7246
https://notcve.org/view.php?id=CVE-2006-7246
NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used. NetworkManager versiones 0.9.x, no fija un asunto del certificado en un ESSID cuando es usada la autenticación 802.11X. • http://www.openwall.com/lists/oss-security/2010/04/22/2 https://bugzilla.gnome.org/show_bug.cgi?id=341323 https://bugzilla.novell.com/show_bug.cgi?id=574266 https://lwn.net/Articles/468868 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1000135
https://notcve.org/view.php?id=CVE-2018-1000135
GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN. This vulnerability appears to have been fixed in Some Ubuntu 16.04 packages were fixed, but later updates removed the fix. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 an upstream fix does not appear to be available at this time. GNOME NetworkManager, en versiones 1.10.2 y anteriores, contiene una vulnerabilidad de exposición de información (CWE-200) en la resolución DNS que puede resultar en el filtrado de consultas DNS privadas en los servidores DNS de las redes locales mientras se está en una VPN. Aparentemente, esta vulnerabilidad ha sido solucionada en algunos paquetes de Ubuntu 16.04, pero las posteriores actualizaciones eliminaron esta solución. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 no parece que exista actualmente una solución ascendente. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00005.html http://www.securityfocus.com/bid/103478 https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671 https://bugzilla.gnome.org/show_bug.cgi?id=746422 https://bugzilla.redhat.com/show_bug.cgi?id=1553634 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0CVE-2016-0764 – NetworkManager: Race condition allowing info leak
https://notcve.org/view.php?id=CVE-2016-0764
Race condition in Network Manager before 1.0.12 as packaged in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows local users to obtain sensitive connection information by reading temporary files during ifcfg and keyfile changes. Una condición de carrera en Network Manager anterior a versión 1.0.12 como empaquetado en Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7 y Red Hat Enterprise Linux Workstation 7, permite a los usuarios locales obtener información de conexión confidencial mediante la lectura de archivos temporales durante cambios de ifcfg y keyfile. A race condition vulnerability was discovered in NetworkManager. Temporary files were created insecurely when saving or updating connection settings, which could allow local users to read connection secrets such as VPN passwords or WiFi keys. • http://rhn.redhat.com/errata/RHSA-2016-2581.html https://bugzilla.redhat.com/show_bug.cgi?id=1324025 https://access.redhat.com/security/cve/CVE-2016-0764 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •