high
8.4
CWE
94
Advisory Published
Updated

CVE-2019-3695: pcp: Local privilege escalation from user pcp to root

First published: Fri Feb 07 2020(Updated: )

A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1.

Credit: meissner@suse.de

Affected SoftwareAffected VersionHow to fix
Opensuse Pcp<3.11.9-5.8.1
SUSE Linux Enterprise High Performance Computing=15.0
SUSE Linux Enterprise High Performance Computing=15.0
SUSE Linux Enterprise Server=15
Suse Linux Enterprise Server Ltss=15
Suse Linux Enterprise Server Sap=15
Opensuse Pcp<4.3.1-3.5.3
SUSE Linux Enterprise Server=15-sp1
Opensuse Pcp<3.11.9-6.14.1
SUSE Linux Enterprise Software Development Kit=12-sp4
SUSE Linux Enterprise Software Development Kit=12-sp5
Opensuse Pcp<4.3.1-lp151.2.3.1
openSUSE Leap=15.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2019-3695?

    CVE-2019-3695 is an Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15.

  • Which software versions are affected by CVE-2019-3695?

    Opensuse Pcp versions up to 3.11.9-5.8.1 and Opensuse Pcp versions up to 4.3.1-3.5.3 are affected by CVE-2019-3695.

  • What is the severity of CVE-2019-3695?

    CVE-2019-3695 has a severity level of 7.8 (High).

  • How can I fix CVE-2019-3695?

    To fix CVE-2019-3695, it is recommended to upgrade to Opensuse Pcp version 3.11.9-6.14.1 or later, or Opensuse Pcp version 4.3.1-lp151.2.3.1 or later.

  • Is SUSE Linux Enterprise High Performance Computing 15-ESPOS affected by CVE-2019-3695?

    No, SUSE Linux Enterprise High Performance Computing 15-ESPOS is not affected by CVE-2019-3695.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203