CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-45154 – supportconfig does not remove passwords in /etc/iscsi/iscsid.conf and /etc/target/lio_setup.sh
https://notcve.org/view.php?id=CVE-2022-45154
A Cleartext Storage of Sensitive Information vulnerability in suppportutils of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 15 SP3 allows attackers that get access to the support logs to gain knowledge of the stored credentials This issue affects: SUSE Linux Enterprise Server 12 supportutils version 3.0.10-95.51.1CWE-312: Cleartext Storage of Sensitive Information and prior versions. SUSE Linux Enterprise Server 15 supportutils version 3.1.21-150000.5.44.1 and prior versions. SUSE Linux Enterprise Server 15 SP3 supportutils version 3.1.21-150300.7.35.15.1 and prior versions. • https://bugzilla.suse.com/show_bug.cgi?id=1207598 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19636 – Local root exploit via inclusion of attacker controlled shell script
https://notcve.org/view.php?id=CVE-2018-19636
Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges Supportutils, en versiones anteriores a la 3.1-5.7.1, buscaba en el sistema de archivos por un binario ndspath al ejecutarse con una línea de comandos con el argumento -A. Si un atacante proporciona uno de dichos argumentos en una ubicación arbitraria, se ejecuta con privilegios root. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html https://bugzilla.suse.com/show_bug.cgi?id=1117751 • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19638 – User can overwrite arbitrary log files in support tar
https://notcve.org/view.php?id=CVE-2018-19638
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files. En Supportutils, en versiones anteriores a la 3.1-5.7.1, y si una batería de marcapasos está instalada en el sistema, un usuario sin privilegios podría haber sobrescrito archivos arbitrarios en el directorio utilizado por supportutils para recolectar los archivos de log. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html https://bugzilla.suse.com/show_bug.cgi?id=1118460 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19640 – Code execution if run with command line switch -v
https://notcve.org/view.php?id=CVE-2018-19640
If the attacker manages to create files in the directory used to collect log files in supportutils before version 3.1-5.7.1 (e.g. with CVE-2018-19638) he can kill arbitrary processes on the local machine. Si el atacante logra crear archivos en el directorio utilizado para recolectar archivos de log en supportutils, en versiones anteriores a la 3.1-5.71, (p.ej., con CVE-2018-19638), éste puede finalizar procesos arbitrarios en la máquina local. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html https://bugzilla.suse.com/show_bug.cgi?id=1118463 • CWE-20: Improper Input Validation CWE-377: Insecure Temporary File •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19637 – Static temporary filename allows overwriting of files
https://notcve.org/view.php?id=CVE-2018-19637
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection Supportutils, en versiones anteriores a la 3.1-5.7.1, escribía datos al archivo estático tmp/supp_log, lo que permitía a los atacantes locales sobrescribir archivos en sistemas sin protecciones symlink. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00018.html https://bugzilla.suse.com/show_bug.cgi?id=1117776 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •