CVE-2019-18900

NameCVE-2019-18900
Description: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2132-1
Debian Bugs953362

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libzypp (PTS)buster17.7.0-1vulnerable
bullseye17.25.7-1fixed
bookworm17.25.7-2.4fixed
trixie17.31.31-1fixed
sid17.32.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libzyppsourceexperimental17.25.5-1
libzyppsourcejessie14.29.1-2+deb8u1DLA-2132-1
libzyppsource(unstable)17.25.5-2953362

Notes

[buster] - libzypp <no-dsa> (Minor issue)
https://bugzilla.suse.com/show_bug.cgi?id=1158763
https://github.com/openSUSE/libzypp/pull/196
https://github.com/openSUSE/libzypp/commit/ea50981352bb5c7ab48663edaeb2df1ddd66953e
https://github.com/openSUSE/libzypp/commit/508b1201f23b44ee90dee6dbbeb3ac5f8bd4c089

Search for package or bug name: Reporting problems