7.5

CVE-2019-13179

Exploit
Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CalamaresCalamares Version <= 3.2.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.09% 0.792
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
Third Party Advisory
Exploit
Issue Tracking
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
Third Party Advisory
https://calamares.io/calamares-3.2.11-is-out/
Vendor Advisory
https://calamares.io/calamares-cve-2019/
Vendor Advisory
https://github.com/calamares/calamares/issues/1191
Third Party Advisory
Exploit
Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/
https://bugzilla.redhat.com/show_bug.cgi?id=1726542
Third Party Advisory
Issue Tracking