CVE-2019-0103

Vulnerability

The vulnerability is an insufficient file protection issue (CWE-693) during the install routine of the Intel(R) Data Center Manager SDK before version 5.0.2 [1][2]. This allows an authenticated user with local access to potentially disclose sensitive information [2]. The exact files or directories affected are not described in detail, but the flaw resides in the installation process where file permissions are not adequately set, exposing files to unauthorized reading [2].

Exploitation

An attacker must have valid authentication to the system and local access (CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) [2]. No user interaction is required beyond the attacker's own actions. The attacker can leverage the weak file permissions to read files that should be protected, potentially including configuration files or other data stored by the SDK during or after installation [2].

Impact

Successful exploitation results in information disclosure of high confidentiality impact, meaning the attacker can read files that contain sensitive data [2]. There is no impact to integrity or availability according to the CVSS vector. The attacker gains knowledge of the protected information but does not obtain direct system privileges beyond their existing authenticated user level [2].

Mitigation

The vulnerability is fixed in Intel Data Center Manager SDK version 5.0.2 and later [1][2]. Users should update to this version or newer. No workaround is documented in the available references. The advisory was published on 2019-02-18 by Intel and also coordinated with CISA [1][2].