CVE-2016-4455

Published on: 04/14/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:59 PM UTC

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Certain versions of Enterprise Linux Desktop from Redhat contain the following vulnerability:

The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories.

  • CVE-2016-4455 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as LOW severity.

CVSS3 Score: 3.3 - LOW

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED LOW NONE NONE

CVSS2 Score: 2.1 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
Red Hat Subscription Manager /var/lib/rhsm/ Permissions Let Local Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker Third Party Advisory
VDB Entry
www.securitytracker.com
text/html
URL Logo SECTRACK 1038083
1297493, 1297485: Restrict visibility of subscription-manager caches. · candlepin/[email protected] · GitHub Patch
Third Party Advisory
github.com
text/html
URL Logo CONFIRM github.com/candlepin/subscription-manager/commit/9dec31
1340525 – (CVE-2016-4455) CVE-2016-4455 subscription-manager: sensitive world readable files in /var/lib/rhsm/ Issue Tracking
Patch
Third Party Advisory
VDB Entry
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1340525
Red Hat Customer Portal Third Party Advisory
VDB Entry
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2592
Candlepin 'subscription-manager' CVE-2016-4455 Insecure File Permissions Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 93926
Red Hat Customer Portal Third Party Advisory
VDB Entry
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:0698
oss-security - CVE-2016-4455: subscription-manager: incorrect permisions in /var/lib/rhsm/ Mailing List
Patch
Third Party Advisory
www.openwall.com
text/html
URL Logo MLIST [oss-security] 20161026 CVE-2016-4455: subscription-manager: incorrect permisions in /var/lib/rhsm/
subscription-manager/subscription-manager.spec at subscription-manager-1.17.7-1 · candlepin/subscription-manager · GitHub Third Party Advisory
github.com
text/html
URL Logo CONFIRM github.com/candlepin/subscription-manager/blob/subscription-manager-1.17.7-1/subscription-manager.spec

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
RedhatEnterprise Linux Desktop6.0AllAllAll
Operating
System
RedhatEnterprise Linux Desktop7.0AllAllAll
Operating
System
RedhatEnterprise Linux Desktop6.0AllAllAll
Operating
System
RedhatEnterprise Linux Desktop7.0AllAllAll
Operating
System
RedhatEnterprise Linux Hpc Node6.0AllAllAll
Operating
System
RedhatEnterprise Linux Hpc Node7.0AllAllAll
Operating
System
RedhatEnterprise Linux Hpc Node6.0AllAllAll
Operating
System
RedhatEnterprise Linux Hpc Node7.0AllAllAll
Operating
System
RedhatEnterprise Linux Server6.0AllAllAll
Operating
System
RedhatEnterprise Linux Server7.0AllAllAll
Operating
System
RedhatEnterprise Linux Server6.0AllAllAll
Operating
System
RedhatEnterprise Linux Server7.0AllAllAll
Operating
System
RedhatEnterprise Linux Workstation6.0AllAllAll
Operating
System
RedhatEnterprise Linux Workstation7.0AllAllAll
Operating
System
RedhatEnterprise Linux Workstation6.0AllAllAll
Operating
System
RedhatEnterprise Linux Workstation7.0AllAllAll
ApplicationRedhatSubscription-managerAllAllAllAll
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:subscription-manager:*:*:*:*:*:*:*:*: