Vulnerabilities > CVE-2019-13313 - Information Exposure vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2003.NASL description According to the version of the libosinfo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, last seen 2020-05-08 modified 2019-09-24 plugin id 129196 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129196 title EulerOS 2.0 SP3 : libosinfo (EulerOS-SA-2019-2003) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129196); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2019-13313" ); script_name(english:"EulerOS 2.0 SP3 : libosinfo (EulerOS-SA-2019-2003)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libosinfo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, 'osinfo-install-script', accepts user and admin passwords via command line arguments. This could allow guest passwords to leak to other system users via a process listing.(CVE-2019-13313) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2003 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77546500"); script_set_attribute(attribute:"solution", value: "Update the affected libosinfo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libosinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["libosinfo-0.2.12-3.h2"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libosinfo"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3387.NASL description An update for osinfo-db, osinfo-db-tools, libosinfo, and gnome-boxes is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The osinfo-db package contains a database that provides information about operating systems and hypervisor platforms to facilitate the automated configuration and provisioning of new virtual machines. The libosinfo packages provide a library that allows virtualization provisioning tools to determine the optimal device settings for a combination of hypervisor and operating system. Security Fix(es) : * Libosinfo: osinfo-install-script option leaks password via command line argument (CVE-2019-13313) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 130532 published 2019-11-06 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130532 title RHEL 8 : osinfo-db and libosinfo (RHSA-2019:3387) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2019:3387. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(130532); script_version("1.2"); script_cvs_date("Date: 2019/12/17"); script_cve_id("CVE-2019-13313"); script_xref(name:"RHSA", value:"2019:3387"); script_name(english:"RHEL 8 : osinfo-db and libosinfo (RHSA-2019:3387)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for osinfo-db, osinfo-db-tools, libosinfo, and gnome-boxes is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. The osinfo-db package contains a database that provides information about operating systems and hypervisor platforms to facilitate the automated configuration and provisioning of new virtual machines. The libosinfo packages provide a library that allows virtualization provisioning tools to determine the optimal device settings for a combination of hypervisor and operating system. Security Fix(es) : * Libosinfo: osinfo-install-script option leaks password via command line argument (CVE-2019-13313) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section." ); # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?774148ae" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:3387" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-13313" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gnome-boxes"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gnome-boxes-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gnome-boxes-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libosinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libosinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libosinfo-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:osinfo-db"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:osinfo-db-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:osinfo-db-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:osinfo-db-tools-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2019:3387"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"gnome-boxes-3.28.5-7.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"gnome-boxes-debuginfo-3.28.5-7.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"gnome-boxes-debugsource-3.28.5-7.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"i686", reference:"libosinfo-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"s390x", reference:"libosinfo-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"libosinfo-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"i686", reference:"libosinfo-debuginfo-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"s390x", reference:"libosinfo-debuginfo-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"libosinfo-debuginfo-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"i686", reference:"libosinfo-debugsource-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"s390x", reference:"libosinfo-debugsource-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"libosinfo-debugsource-1.5.0-3.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"osinfo-db-20190611-1.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"s390x", reference:"osinfo-db-tools-1.5.0-4.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"osinfo-db-tools-1.5.0-4.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"s390x", reference:"osinfo-db-tools-debuginfo-1.5.0-4.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"osinfo-db-tools-debuginfo-1.5.0-4.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"s390x", reference:"osinfo-db-tools-debugsource-1.5.0-4.el8")) flag++; if (rpm_check(release:"RHEL8", cpu:"x86_64", reference:"osinfo-db-tools-debugsource-1.5.0-4.el8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnome-boxes / gnome-boxes-debuginfo / gnome-boxes-debugsource / etc"); } }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1821.NASL description According to the version of the libosinfo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, last seen 2020-05-03 modified 2019-08-27 plugin id 128190 published 2019-08-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128190 title EulerOS 2.0 SP8 : libosinfo (EulerOS-SA-2019-1821) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(128190); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01"); script_cve_id( "CVE-2019-13313" ); script_name(english:"EulerOS 2.0 SP8 : libosinfo (EulerOS-SA-2019-1821)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libosinfo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, 'osinfo-install-script', accepts user and admin passwords via command line arguments. This could allow guest passwords to leak to other system users via a process listing.(CVE-2019-13313) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1821 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6de1decb"); script_set_attribute(attribute:"solution", value: "Update the affected libosinfo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libosinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["libosinfo-1.2.0-4.h6.eulerosv2r8"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libosinfo"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1051.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1051 advisory. - Libosinfo: osinfo-install-script option leaks password via command line argument (CVE-2019-13313) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-10 plugin id 135326 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135326 title CentOS 7 : libosinfo (CESA-2020:1051) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1854.NASL description According to the version of the libosinfo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, last seen 2020-05-08 modified 2019-09-17 plugin id 128906 published 2019-09-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128906 title EulerOS 2.0 SP2 : libosinfo (EulerOS-SA-2019-1854) NASL family Fedora Local Security Checks NASL id FEDORA_2019-D2CDE4761E.NASL description Security fix for CVE-2019-13313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127083 published 2019-07-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127083 title Fedora 29 : libosinfo (2019-d2cde4761e) NASL family Fedora Local Security Checks NASL id FEDORA_2019-4B8990E4D6.NASL description Security fix for CVE-2019-13313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126798 published 2019-07-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126798 title Fedora 29 : mingw-libosinfo (2019-4b8990e4d6) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1051.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1051 advisory. - Libosinfo: osinfo-install-script option leaks password via command line argument (CVE-2019-13313) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-01 plugin id 135064 published 2020-04-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135064 title RHEL 7 : libosinfo (RHSA-2020:1051) NASL family Fedora Local Security Checks NASL id FEDORA_2019-C9FBE3DB9C.NASL description Security fix for CVE-2019-13313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127082 published 2019-07-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127082 title Fedora 30 : libosinfo (2019-c9fbe3db9c) NASL family Fedora Local Security Checks NASL id FEDORA_2019-E23AEAC13E.NASL description Security fix for CVE-2019-13313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126802 published 2019-07-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126802 title Fedora 30 : mingw-libosinfo (2019-e23aeac13e) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1952.NASL description According to the version of the libosinfo package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, last seen 2020-06-01 modified 2020-06-02 plugin id 128955 published 2019-09-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128955 title EulerOS Virtualization for ARM 64 3.0.2.0 : libosinfo (EulerOS-SA-2019-1952) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2273-1.NASL description This update for libosinfo fixes the following issues : Security issue fixed : CVE-2019-13313: Fixed a information leak where a local user could gather credentials from the osinfo-install-script (bsc#1140749). Non-security issues fixed: Fixed OS detection for multiple versions of SLE12, SLE15 and openSUSE Leap (bsc#1105607, bsc#1122858, bsc#1105607, bsc#1054986, bsc#1054986) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128504 published 2019-09-04 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128504 title SUSE SLES12 Security Update : libosinfo (SUSE-SU-2019:2273-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1888.NASL description According to the version of the libosinfo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in libosinfo, version 1.5.0, where the script for automated guest installations, last seen 2020-05-08 modified 2019-09-16 plugin id 128811 published 2019-09-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128811 title EulerOS 2.0 SP5 : libosinfo (EulerOS-SA-2019-1888) NASL family Scientific Linux Local Security Checks NASL id SL_20200407_LIBOSINFO_ON_SL7_X.NASL description * Libosinfo: osinfo-install-script option leaks password via command line argument last seen 2020-04-30 modified 2020-04-21 plugin id 135815 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135815 title Scientific Linux Security Update : libosinfo on SL7.x x86_64 (20200407)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.openwall.com/lists/oss-security/2019/07/08/3
- http://www.openwall.com/lists/oss-security/2019/07/08/3
- https://access.redhat.com/errata/RHSA-2019:3387
- https://access.redhat.com/errata/RHSA-2019:3387
- https://gitlab.com/libosinfo/libosinfo/-/tags
- https://gitlab.com/libosinfo/libosinfo/-/tags
- https://gitlab.com/libosinfo/libosinfo/blob/master/NEWS
- https://gitlab.com/libosinfo/libosinfo/blob/master/NEWS
- https://libosinfo.org/download/
- https://libosinfo.org/download/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AZU4IPPIR73NYC6E733QR26O5ZI6MMKJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AZU4IPPIR73NYC6E733QR26O5ZI6MMKJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEZUZKC6YK4E3NXM7XKZOXY5X5PJSPIR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEZUZKC6YK4E3NXM7XKZOXY5X5PJSPIR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4AD73NGYBV7GYT4LFC3TC7AYBWOJTG4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4AD73NGYBV7GYT4LFC3TC7AYBWOJTG4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT44EYZZQFTK7XM6GKCYC4WUE7HYZVXM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT44EYZZQFTK7XM6GKCYC4WUE7HYZVXM/
- https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html
- https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html