CVE-2013-3709
https://notcve.org/view.php?id=CVE-2013-3709
WebYaST 1.3 uses weak permissions for config/initializers/secret_token.rb, which allows local users to gain privileges by reading the Rails secret token from this file. WebYaST v1.3 usa permisos débiles en config/initializers/secret_token.rb, lo que permite a usuarios locales obtener privilegios mediante la lectura del token secreto de Rails de este archivo. • http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00001.html https://bugzilla.novell.com/show_bug.cgi?id=851116 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-7042
https://notcve.org/view.php?id=CVE-2013-7042
SUSE Lifecycle Management Server (SLMS) before 1.3.7 uses world-readable permissions for the secret keys, which allows local users to gain privileges via unspecified vectors. SUSE Lifecycle Management Server (SLMS) anterior a la versión 1.3.7 utiliza permisos world-readable para claves secretas, lo que permite a usuarios locales obtener privilegios a través de vectores sin especificar. • http://osvdb.org/100652 https://bugzilla.novell.com/show_bug.cgi?id=852101 https://exchange.xforce.ibmcloud.com/vulnerabilities/89897 https://www.suse.com/support/update/announcement/2013/suse-su-20131813-1.html • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-3710
https://notcve.org/view.php?id=CVE-2013-3710
SUSE Lifecycle Management Server (SLMS) before 1.3.7 does not generate a new secret key when the service starts, which allows remote attackers to defeat intended cryptographic protection mechanisms by leveraging knowledge of this key from a product installation elsewhere. SUSE Lifecycle Management Server (SLMS) anteriores a 1.3.7 no genera una nueva clave secreta cuando el servicio arranca, lo que permite a atacantes remotos evadir mecanismos de proteccion criptográfica aprovechando el conocimiento de esta clave de una instalación del producto en cualquier otro lugar. • http://osvdb.org/100653 https://bugzilla.novell.com/show_bug.cgi?id=852101 https://www.suse.com/support/update/announcement/2013/suse-su-20131813-1.html • CWE-310: Cryptographic Issues •