CVE-2015-5302

libreport 2.0.7-2.6.2 - Unauthorized Sensitive Information Exposure via Crash Report Attachments

Title source: llm
STIX 2.1

Description

libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a crash report, which allows remote attackers to obtain sensitive information via unspecified vectors related to the (1) backtrace, (2) cmdline, (3) environ, (4) open_fds, (5) maps, (6) smaps, (7) hostname, (8) remote, (9) ks.cfg, or (10) anaconda-tb file attachment included in a Red Hat Bugzilla bug report.

References (7)

Core 7
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-2505.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/77685
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172695.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-2504.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1270903

Scores

EPSS 0.0277
EPSS Percentile 84.5%

Details

CWE
CWE-200
Status published
Products (24)
redhat/libreport 2.0.8
redhat/libreport 2.0.9
redhat/libreport 2.0.10
redhat/libreport 2.0.14
redhat/libreport 2.0.16
redhat/libreport 2.0.19
redhat/libreport 2.0.20
redhat/libreport 2.1.0
redhat/libreport 2.1.1
redhat/libreport 2.1.2
... and 14 more
Published Dec 07, 2015
Tracked Since Feb 18, 2026