Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2023:4706

Опубликовано: 28 авг. 2023
Источник: rocky
Оценка: Important

Описание

Important: subscription-manager security update

The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Rocky Enterprise Software Foundation entitlement platform.

Security Fix(es):

  • subscription-manager: inadequate authorization of com.redhat.RHSM1 D-Bus interface allows local users to modify configuration (CVE-2023-3899)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

  • Rocky Linux 8

НаименованиеАрхитектураРелизRPM
dnf-plugin-subscription-managerx86_643.el8_8.rocky.0.1dnf-plugin-subscription-manager-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm
python3-cloud-whatx86_643.el8_8.rocky.0.1python3-cloud-what-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm
python3-subscription-manager-rhsmx86_643.el8_8.rocky.0.1python3-subscription-manager-rhsm-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm
python3-syspurposex86_643.el8_8.rocky.0.1python3-syspurpose-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm
rhsm-iconsnoarch3.el8_8.rocky.0.1rhsm-icons-1.28.36-3.el8_8.rocky.0.1.noarch.rpm
subscription-managerx86_643.el8_8.rocky.0.1subscription-manager-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm
subscription-manager-cockpitnoarch3.el8_8.rocky.0.1subscription-manager-cockpit-1.28.36-3.el8_8.rocky.0.1.noarch.rpm
subscription-manager-plugin-ostreex86_643.el8_8.rocky.0.1subscription-manager-plugin-ostree-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm
subscription-manager-rhsm-certificatesx86_643.el8_8.rocky.0.1subscription-manager-rhsm-certificates-1.28.36-3.el8_8.rocky.0.1.x86_64.rpm

Показывать по

Связанные CVE

CVE-2023-3899

Ссылки на источники

Исправления

Связанные уязвимости

redhat логотип

CVE-2023-3899

CVSS3: 7.8
redhat
почти 2 года назад

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

nvd логотип

CVE-2023-3899

CVSS3: 7.8
nvd
почти 2 года назад

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

rocky логотип

RLSA-2023:4708

rocky
почти 2 года назад

Important: subscription-manager security update

github логотип

GHSA-wp8h-m67c-cxpw

CVSS3: 7.8
github
почти 2 года назад

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

fstec логотип

BDU:2023-04878

CVSS3: 7.8
fstec
почти 2 года назад

Уязвимость метода SetAll() системы межпроцессного взаимодействия D-Bus операционных систем Red Hat Enterprise Linux, позволяющая нарушителю повысить свои привилегии