CVE-2015-5302
libreport 2.0.7-2.6.2 - Unauthorized Sensitive Information Exposure via Crash Report Attachments
Title source: llmDescription
libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a crash report, which allows remote attackers to obtain sensitive information via unspecified vectors related to the (1) backtrace, (2) cmdline, (3) environ, (4) open_fds, (5) maps, (6) smaps, (7) hostname, (8) remote, (9) ks.cfg, or (10) anaconda-tb file attachment included in a Red Hat Bugzilla bug report.
References (7)
Core 7
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-2505.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/77685
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172695.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-2504.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Patch x_refsource_confirm
https://github.com/abrt/libreport/commit/257578a23d1537a2d235aaa2b1488ee4f818e360
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1270903
Scores
EPSS
0.0277
EPSS Percentile
84.5%
Details
CWE
CWE-200
Status
published
Products (24)
redhat/libreport
2.0.8
redhat/libreport
2.0.9
redhat/libreport
2.0.10
redhat/libreport
2.0.14
redhat/libreport
2.0.16
redhat/libreport
2.0.19
redhat/libreport
2.0.20
redhat/libreport
2.1.0
redhat/libreport
2.1.1
redhat/libreport
2.1.2
... and 14 more
Published
Dec 07, 2015
Tracked Since
Feb 18, 2026