CVE-2019-13313

HIGH

Libosinfo - Information Disclosure

Title source: rule
STIX 2.1

Description

libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.

References (10)

Core 10
Core References
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html
Release Notes, Vendor Advisory x_refsource_misc
https://libosinfo.org/download/
Release Notes, Third Party Advisory x_refsource_misc
https://gitlab.com/libosinfo/libosinfo/-/tags
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/07/08/3
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3387

Scores

CVSS v3 7.8
EPSS 0.0005
EPSS Percentile 15.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (14)
fedoraproject/fedora 29
fedoraproject/fedora 30
libosinfo/libosinfo 1.5.0
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
redhat/enterprise_linux_eus 8.2
redhat/enterprise_linux_eus 8.4
redhat/enterprise_linux_eus 8.6
redhat/enterprise_linux_server_aus 8.2
redhat/enterprise_linux_server_aus 8.4
... and 4 more
Published Jul 05, 2019
Tracked Since Feb 18, 2026