ALT-PU-2018-2074-1
Package NetworkManager-vpnc updated to version 1.2.6-alt1 for branch sisyphus in task 210980.
Closed vulnerabilities
Published: 2018-07-26
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-10900
Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
Severity: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- https://bugzilla.novell.com/show_bug.cgi?id=1101147
- https://bugzilla.novell.com/show_bug.cgi?id=1101147
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900
- https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news
- https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news
- https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4
- https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4
- [debian-lts-announce] 20180731 [SECURITY] [DLA 1454-1] network-manager-vpnc security update
- [debian-lts-announce] 20180731 [SECURITY] [DLA 1454-1] network-manager-vpnc security update
- https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
- https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
- GLSA-201808-03
- GLSA-201808-03
- DSA-4253
- DSA-4253
- 45313
- 45313