CVE-2019-3695
pcp: Local privilege escalation from user pcp to root
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1.
Una vulnerabilidad de Control Inapropiado de la Generación de Código en el empaquetado pcp de SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5, openSUSE Leap 15.1, permite a un usuario pcp ejecutar código como root al colocarlo en el archivo /var/log/pcp/configs.sh. Este problema afecta: a pcp de SUSE Linux Enterprise High Performance Computing 15-ESPOS versiones anteriores a 3.11.9-5.8.1. pcp de SUSE Linux Enterprise High Performance Computing 15-LTSS versiones anteriores a 3.11.9-5.8.1. pcp de SUSE Linux Enterprise Module for Development Tools 15 versiones anteriores a 4.3.1-3.5.3. pcp de SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 versiones anteriores a 3.11.9-5.8.1. pcp de SUSE Linux Enterprise Server 15-LTSS versiones anteriores a 3.11.9-5.8.1. pcp de SUSE Linux Enterprise Server para SAP de 15 versiones anteriores a 3.11.9-5.8.1. pcp de SUSE Linux Enterprise Software Development Kit 12-SP4 versiones anteriores a 3.11.9-6.14.1. pcp de SUSE Linux Enterprise Software Development Kit 12-SP5 versiones anteriores a 3.11.9-6.14.1. pcp de openSUSE Leap 15.1 versiones anteriores a 4.3.1-lp151.2.3.1.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-03 CVE Reserved
- 2020-03-03 CVE Published
- 2023-07-07 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.suse.com/show_bug.cgi?id=1152763 | 2024-09-16 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2019-3695 | 2020-09-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1811703 | 2020-09-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-5.8.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-5.8.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise High Performance Computing Search vendor "Suse" for product "Linux Enterprise High Performance Computing" | 15.0 Search vendor "Suse" for product "Linux Enterprise High Performance Computing" and version "15.0" | espos |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-5.8.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-5.8.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise High Performance Computing Search vendor "Suse" for product "Linux Enterprise High Performance Computing" | 15.0 Search vendor "Suse" for product "Linux Enterprise High Performance Computing" and version "15.0" | ltss |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-5.8.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-5.8.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 15 Search vendor "Suse" for product "Linux Enterprise Server" and version "15" | - |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-5.8.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-5.8.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 15 Search vendor "Suse" for product "Linux Enterprise Server" and version "15" | ltss |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-5.8.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-5.8.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 15 Search vendor "Suse" for product "Linux Enterprise Server" and version "15" | sap |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 4.3.1-3.5.3 Search vendor "Opensuse" for product "Pcp" and version " < 4.3.1-3.5.3" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 15 Search vendor "Suse" for product "Linux Enterprise Server" and version "15" | sp1 |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-6.14.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-6.14.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit" | 12 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12" | sp4 |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 3.11.9-6.14.1 Search vendor "Opensuse" for product "Pcp" and version " < 3.11.9-6.14.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit" | 12 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12" | sp5 |
Safe
|
| Opensuse Search vendor "Opensuse" | Pcp Search vendor "Opensuse" for product "Pcp" | < 4.3.1-lp151.2.3.1 Search vendor "Opensuse" for product "Pcp" and version " < 4.3.1-lp151.2.3.1" | - |
Affected
| in | Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Safe
|