CVE-2019-3700Use of a Broken or Risky Cryptographic Algorithm in Yast2-security

CWE-327Use of a Broken or Risky Cryptographic Algorithm4 documents4 sources
Severity
3.3LOWNVD
CNA2.9
EPSS
0.0%
top 89.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Opensuse FactorySuse Yast2-security
Timeline
PublishedJan 24
Latest updateMay 24

Description

yast2-security didn't use secure defaults to protect passwords. This became a problem on 2019-10-07 when configuration files that set secure settings were moved to a different location. As of the 20191022 snapshot the insecure default settings were used until yast2-security switched to stronger defaults in 4.2.6 and used the new configuration file locations. Password created during this time used DES password encryption and are not properly protected against attackers that are able to access the

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

NVDsuse/yast2-security< 4.2.6
CVEListV5opensuse/factoryyast2-security4.2.6

🔴Vulnerability Details

2
GHSA
GHSA-6ff8-jh7v-68j7: yast2-security didn't use secure defaults to protect passwords2022-05-24
CVEList
yast: Fallback to DES without configuration in /etc/login.def2020-01-24

💥Exploits & PoCs

1
Exploit-DB
Oracle Hospitality RES 3700 5.7 - Remote Code Execution2020-05-18
CVE-2019-3700 — Suse Yast2-security vulnerability | cvebase