CVE-2016-4455

Published on: 04/14/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:59 PM UTC

CVE-2016-4455

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Certain versions of Enterprise Linux Desktop from Redhat contain the following vulnerability:

The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories.

CVE-2016-4455 has been assigned by [email protected] to track the vulnerability - currently rated as LOW severity.

CVSS3 Score: 3.3 - LOW

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	LOW	NONE	NONE

CVSS2 Score: 2.1 - LOW

Access Vector^ⓘ	Access Complexity	Authentication
LOCAL	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	NONE	NONE

CVE References

Description	Tags ^ⓘ	Link
Red Hat Subscription Manager /var/lib/rhsm/ Permissions Let Local Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker	Third Party Advisory VDB Entry www.securitytracker.com text/html	SECTRACK 1038083
1297493, 1297485: Restrict visibility of subscription-manager caches. · candlepin/[email protected] · GitHub	Patch Third Party Advisory github.com text/html	CONFIRM github.com/candlepin/subscription-manager/commit/9dec31
1340525 – (CVE-2016-4455) CVE-2016-4455 subscription-manager: sensitive world readable files in /var/lib/rhsm/	Issue Tracking Patch Third Party Advisory VDB Entry bugzilla.redhat.com text/html	CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1340525
Red Hat Customer Portal	Third Party Advisory VDB Entry web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2016:2592
Candlepin 'subscription-manager' CVE-2016-4455 Insecure File Permissions Vulnerability	Third Party Advisory VDB Entry cve.report (archive) text/html	BID 93926
Red Hat Customer Portal	Third Party Advisory VDB Entry web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2017:0698
oss-security - CVE-2016-4455: subscription-manager: incorrect permisions in /var/lib/rhsm/	Mailing List Patch Third Party Advisory www.openwall.com text/html	MLIST [oss-security] 20161026 CVE-2016-4455: subscription-manager: incorrect permisions in /var/lib/rhsm/
subscription-manager/subscription-manager.spec at subscription-manager-1.17.7-1 · candlepin/subscription-manager · GitHub	Third Party Advisory github.com text/html	CONFIRM github.com/candlepin/subscription-manager/blob/subscription-manager-1.17.7-1/subscription-manager.spec

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Redhat	Enterprise Linux Desktop	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	7.0	All	All	All
Application	Redhat	Subscription-manager	All	All	All	All

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*:
cpe:2.3:a:redhat:subscription-manager:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE