CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
71.6%
The remote host is missing an update for the
# SPDX-FileCopyrightText: 2021 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.1.4.2019.1220.1");
script_cve_id("CVE-2019-3781");
script_tag(name:"creation_date", value:"2021-06-09 14:57:25 +0000 (Wed, 09 Jun 2021)");
script_version("2024-02-02T14:37:50+0000");
script_tag(name:"last_modification", value:"2024-02-02 14:37:50 +0000 (Fri, 02 Feb 2024)");
script_tag(name:"cvss_base", value:"3.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:S/C:P/I:N/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2019-03-08 15:28:58 +0000 (Fri, 08 Mar 2019)");
script_name("SUSE: Security Advisory (SUSE-SU-2019:1220-1)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 Greenbone AG");
script_family("SuSE Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/suse_sles", "ssh/login/rpms", re:"ssh/login/release=(SLES15\.0)");
script_xref(name:"Advisory-ID", value:"SUSE-SU-2019:1220-1");
script_xref(name:"URL", value:"https://www.suse.com/support/update/announcement/2019/suse-su-20191220-1/");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/130060949");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/163156064");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/151841382");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/150111078");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/162745359");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/161632713");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/162699756");
script_xref(name:"URL", value:"https://www.pivotaltracker.com/story/show/162747373");
script_tag(name:"summary", value:"The remote host is missing an update for the 'cf-cli' package(s) announced via the SUSE-SU-2019:1220-1 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"This update for cf-cli fixes the following issues:
cf-cli was updated: to version 6.43.0 (bsc#1132242)
Enhancements :
`cf curl` supports a new `--fail` flag (primarily for scripting
purposes) which returns exit code `22` for server errors
[story]([link moved to references])
Improves `cf delete-orphaned-routes` such that it uses a different
endpoint, reducing the chance of a race condition when two users are
simultaneously deleting orphaned routes and associating routes with
applications [story]([link moved to references])
we've improved the speed of cf services - it now hits a single endpoint
instead of making individual API calls
Security:
CVE-2019-3781: CF CLI does not sanitize userAC/AEURA(tm)s password in
verbose/trace/debug.
Fixes issue with running cf login in verbose mode whereby passwords
which contains regex were not completely redacted
Fixes issue whilst running commands in verbose mode refresh tokens were
not completely redacted
Other Bug Fixes:
Updates help text for cf curlstory
Now refresh tokens work properly whilst using cf curl with V3 CC API
endpoints story
Fixes performance degradation for cf services story
cf delete-service requires that you are targeting a space story
cf enable-service access for a service in an org will succeed if you
have already enabled access for that service in that org story
cf-cli was updated to version 6.42.0:
Minor Enhancements:
updated `cf restage` help text and the first line in the command's
output to indicate that using this command will cause app downtime
[story]([link moved to references])
updated the `cf bind-route-service` help text to clarify usage
instructions [story]([link moved to references])
improved an error message for `cf create-service-boker` to be more
helpful when the CC API returns a `502` due to an invalid service broker
catalog
upgraded to Golang 1.11.4
[story]([link moved to references])
added a short name `ue` for `cf unset-env`
[story]([link moved to references])
updated `cf marketplace` command to include a new `broker` column to
prepare for a upcoming services-related feature which will allow
services to have the same name as long as they are associated with
different service brokers
[story]([link moved to references])
Bugs:
fix for `cf enable-service-access -p plan` whereby when we refactored
the code in CLI `v6.41.0` it created service plan visibilities as part
of a subsequent run of the command (the unrefactored code skipped
creating the service plan visibilities), now the command will skip
creating service plan visibilities as it did prior to the refactor
[story]([link moved to references])
updated the `cf rename-buildpack` help text which was missing ... [Please see the references for more information on the vulnerabilities]");
script_tag(name:"affected", value:"'cf-cli' package(s) on SUSE Linux Enterprise Module for CAP 15.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "SLES15.0") {
if(!isnull(res = isrpmvuln(pkg:"cf-cli", rpm:"cf-cli~6.43.0~3.3.2", rls:"SLES15.0"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
www.pivotaltracker.com/story/show/130060949
www.pivotaltracker.com/story/show/150111078
www.pivotaltracker.com/story/show/151841382
www.pivotaltracker.com/story/show/161632713
www.pivotaltracker.com/story/show/162699756
www.pivotaltracker.com/story/show/162745359
www.pivotaltracker.com/story/show/162747373
www.pivotaltracker.com/story/show/163156064
www.suse.com/support/update/announcement/2019/suse-su-20191220-1/
SUSE-SU-2019:1220-1
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
71.6%