NVD Vulnerability Detail

CVE-2012-6119

Summary	Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.
Publication Date	April 3, 2013, 7:55 a.m.
Registration Date	Jan. 28, 2021, 3:07 p.m.
Last Update	Nov. 21, 2024, 10:45 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:::::::*
cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:::::::*
cpe:2.3:a:candlepinproject:candlepin:0.4.11:::::::*
cpe:2.3:a:redhat:subscription_asset_manager::::::::		1.2.0
cpe:2.3:a:candlepinproject:candlepin:0.6.3:::::::*
cpe:2.3:a:candlepinproject:candlepin::::::::		0.7.2
cpe:2.3:a:candlepinproject:candlepin:0.4.27:::::::*
cpe:2.3:a:candlepinproject:candlepin:0.5.5:::::::*
cpe:2.3:a:candlepinproject:candlepin:0.4.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2013-0686.html	Vendor Advisory
2	http://rhn.redhat.com/errata/RHSA-2013-0686.html	Vendor Advisory
3	http://secunia.com/advisories/52774	Vendor Advisory
4	http://secunia.com/advisories/52774	Vendor Advisory
5	http://www.osvdb.org/91719
6	http://www.osvdb.org/91719
7	https://bugzilla.redhat.com/show_bug.cgi?id=908613
8	https://bugzilla.redhat.com/show_bug.cgi?id=908613
9	https://github.com/candlepin/candlepin/blob/master/candlepin.spec
10	https://github.com/candlepin/candlepin/blob/master/candlepin.spec
11	https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c
12	https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

JVN Vulnerability Information

Red Hat Subscription Asset Manager で使用される Candlepin におけるマニフェストを変更される脆弱性

Title	Red Hat Subscription Asset Manager で使用される Candlepin におけるマニフェストを変更される脆弱性
Summary	Red Hat Subscription Asset Manager で使用される Candlepin は、マニフェストの署名を適切にチェックしないため、マニフェストを変更される脆弱性が存在します。
Possible impacts	ローカルユーザにより、マニフェストを変更される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 26, 2013, midnight
Registration Date	April 4, 2013, 12:21 p.m.
Last Update	April 4, 2013, 12:21 p.m.

Affected System

レッドハット

Red Hat Subscription Asset Manager 1.2.1 未満

CandlepinProject.org

Candlepin 0.7.24 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-6119	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6119
National Vulnerability Database (NVD)
2	CVE-2012-6119	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6119

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
CandlepinProject.org
1	Candlepin	http://candlepinproject.org/
GitHub
2	candlepin/candlepin.spec at master	https://github.com/candlepin/candlepin/blob/master/candlepin.spec
3	Re-enable manifest signature checking	https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c
Red Hat Bugzilla
4	Bug 908613	https://bugzilla.redhat.com/show_bug.cgi?id=908613
Red Hat Security Advisory
5	RHSA-2013:0686	http://rhn.redhat.com/errata/RHSA-2013-0686.html

Change Log

No	Changed Details	Date of change
0	[2013年04月04日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:redhat:subscription_asset_manager:1.1.0:::::::*
cpe:2.3:a:redhat:subscription_asset_manager:1.0.0:::::::*
cpe:2.3:a:candlepinproject:candlepin:0.4.11:::::::*
cpe:2.3:a:redhat:subscription_asset_manager::::::::		1.2.0
cpe:2.3:a:candlepinproject:candlepin:0.6.3:::::::*
cpe:2.3:a:candlepinproject:candlepin::::::::		0.7.2
cpe:2.3:a:candlepinproject:candlepin:0.4.27:::::::*
cpe:2.3:a:candlepinproject:candlepin:0.5.5:::::::*
cpe:2.3:a:candlepinproject:candlepin:0.4.5:::::::*