Unrated severityNVD Advisory· Published Jan 24, 2020· Updated Sep 16, 2024

libzypp stores cookies world readable

CVE-2019-18900

Description

: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Novell/Libzyppllm-fuzzy
osv-coords38 versions
pkg:rpm/opensuse/libsolv&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/libzypp&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/libzypp&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/zypper&distro=openSUSE%20Leap%2015.1 pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015 pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1 pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP1 pkg:rpm/suse/libzypp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/libzypp&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4 pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/libzypp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/zypper&distro=SUSE%20OpenStack%20Cloud%207
< 0.7.10-lp151.2.10.1+ 37 more
- (no CPE)range: < 0.7.10-lp151.2.10.1
- (no CPE)range: < 17.19.0-lp151.2.10.1
- (no CPE)range: < 17.28.4-1.2
- (no CPE)range: < 1.14.33-lp151.2.10.1
- (no CPE)range: < 0.7.10-3.22.1
- (no CPE)range: < 0.7.10-3.13.4
- (no CPE)range: < 0.7.10-3.22.1
- (no CPE)range: < 0.7.10-3.13.4
- (no CPE)range: < 0.7.10-3.13.4
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 17.19.0-3.34.1
- (no CPE)range: < 17.19.0-3.14.5
- (no CPE)range: < 16.21.2-27.70.1
- (no CPE)range: < 16.21.2-27.70.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-27.70.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-27.70.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 16.21.2-2.45.1
- (no CPE)range: < 1.14.33-3.29.1
- (no CPE)range: < 1.14.33-3.13.5
- (no CPE)range: < 1.13.57-18.46.3
- (no CPE)range: < 1.13.57-18.46.3
- (no CPE)range: < 1.13.57-18.46.3
- (no CPE)range: < 1.13.57-18.46.3
SUSE S.A./Caas Platformcpe-rescue
Range: libzypp
SUSE S.A./Linux Enterprise Servercpe-rescue2 versions
libzypp+ 1 more
- (no CPE)range: libzypp
- (no CPE)range: libzypp 17.19.0-3.34.1

Patches

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.htmlmitrevendor-advisoryx_refsource_SUSE
bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
lists.debian.org/debian-lts-announce/2020/03/msg00005.htmlmitremailing-listx_refsource_MLIST

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000