CVE-2011-4190

CWE-306 — Missing Authentication CWE-3103 documents3 sources

Severity

5.3MEDIUM

EPSS

0.2%

top 55.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Kdump Suse Suse Linux Enterprise Desktop Suse Suse Linux Enterprise Server

Timeline

PublishedJun 8

Latest updateMay 13

Description

The kdump implementation is missing the host key verification in the kdump and mkdumprd OpenSSH integration of kdump prior to version 2012-01-20. This is similar to CVE-2011-3588, but different in that the kdump implementation is specific to SUSE. A remote malicious kdump server could use this flaw to impersonate the correct kdump server to obtain security sensitive information (kdump core files).

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5suse/kdumpunspecified — 2012-01-20

▶NVDsuse/suse_linux_enterprise_server11, 11.0+1

▶NVDsuse/suse_linux_enterprise_desktop11

🔴Vulnerability Details

GHSA

GHSA-cp9h-xhgc-8r95: The kdump implementation is missing the host key verification in the kdump and mkdumprd OpenSSH integration of kdump prior to version 2012-01-20↗2022-05-13

▶

CVEList

Missing verification of host key for kdump server↗2018-06-08

▶