Vulnerabilities > CVE-2017-2663 - Local Privilege Escalation vulnerability in Candlepin subscription-manager
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
It was found that subscription-manager's DBus interface before 1.19.4 let unprivileged user access the com.redhat.RHSM1.Facts.GetFacts and com.redhat.RHSM1.Config.Set methods. An unprivileged local attacker could use these methods to gain access to private information, or launch a privilege escalation attack.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-A675AA39FC.NASL description This is a primarily maintenance update. Please see the attached bugs for more specific details on what has improved as far as stability is concerned. There is also a larger new feature which is being released in concert with work being done in Katello / Foreman. Subscription-manager has a concept of a package-profile. This contains information on all installed rpm packages for the system on which it is running. We have expanded this reporting capability to include information on enabled and installed modules from modulemd as well as to report on which repositories this system has enabled presently. This information is combined into a group of reports and submitted to the same endpoint on Katello / Foreman. The new request is a PUT to /consumers/{consumer_uuid}/profiles. This is done only when the string last seen 2020-06-05 modified 2019-01-03 plugin id 120680 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120680 title Fedora 28 : subscription-manager (2018-a675aa39fc) NASL family Fedora Local Security Checks NASL id FEDORA_2018-075821DC8F.NASL description This is a primarily maintenance update. Please see the attached bugs for more specific details on what has improved as far as stability is concerned. There is also a larger new feature which is being released in concert with work being done in Katello / Foreman. Subscription-manager has a concept of a package-profile. This contains information on all installed rpm packages for the system on which it is running. We have expanded this reporting capability to include information on enabled and installed modules from modulemd as well as to report on which repositories this system has enabled presently. This information is combined into a group of reports and submitted to the same endpoint on Katello / Foreman. The new request is a PUT to /consumers/{consumer_uuid}/profiles. This is done only when the string last seen 2020-06-05 modified 2019-01-03 plugin id 120218 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120218 title Fedora 29 : subscription-manager (2018-075821dc8f) NASL family Fedora Local Security Checks NASL id FEDORA_2018-91BA32A0FF.NASL description This is a primarily maintenance update. Please see the attached bugs for more specific details on what has improved as far as stability is concerned. There is also a larger new feature which is being released in concert with work being done in Katello / Foreman. Subscription-manager has a concept of a package-profile. This contains information on all installed rpm packages for the system on which it is running. We have expanded this reporting capability to include information on enabled and installed modules from modulemd as well as to report on which repositories this system has enabled presently. This information is combined into a group of reports and submitted to the same endpoint on Katello / Foreman. The new request is a PUT to /consumers/{consumer_uuid}/profiles. This is done only when the string last seen 2020-06-05 modified 2018-11-15 plugin id 118960 published 2018-11-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118960 title Fedora 27 : subscription-manager (2018-91ba32a0ff)