CVE-2019-13313

low

Published 2019-11-05 · Modified 2019-11-05

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

RHSA-2019:3387: osinfo-db and libosinfo security and bug fix update (Low)

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description Libosinfo: osinfo-install-script option leaks password via command line argument CVSS v3: 2.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 7libosinfo-0:1.1.0-5.el7RHSA-2020:10512020-03-31T00:00:00Z Red Hat Enterprise Linux 8gnome-boxes-0:3.28.5-7.el8RHSA-2019:33872019-11-05T00:00:00Z Red Hat Enterprise…

Description

Libosinfo: osinfo-install-script option leaks password via command line argument

CVSS v3: 2.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 7	`libosinfo-0:1.1.0-5.el7`	RHSA-2020:1051	2020-03-31T00:00:00Z
Red Hat Enterprise Linux 8	`gnome-boxes-0:3.28.5-7.el8`	RHSA-2019:3387	2019-11-05T00:00:00Z
Red Hat Enterprise Linux 8	`libosinfo-0:1.5.0-3.el8`	RHSA-2019:3387	2019-11-05T00:00:00Z
Red Hat Enterprise Linux 8	`osinfo-db-0:20190611-1.el8`	RHSA-2019:3387	2019-11-05T00:00:00Z
Red Hat Enterprise Linux 8	`osinfo-db-tools-0:1.5.0-4.el8`	RHSA-2019:3387	2019-11-05T00:00:00Z

Apply commands

bash fix

Apply RHSA-2020:1051 for Red Hat Enterprise Linux 7

yum update -y libosinfo
# or:
dnf upgrade -y libosinfo

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	fixed	`1.6.0-1`
debian	bullseye	fixed	`1.6.0-1`
debian	forky	fixed	`1.6.0-1`
debian	sid	fixed	`1.6.0-1`
debian	trixie	fixed	`1.6.0-1`
rhel	8	fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.