CVE-2019-12450

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3530	Third Party Advisory
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174	Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/
https://security.netapp.com/advisory/ntap-20190606-0003/	Third Party Advisory
https://usn.ubuntu.com/4014-1/	Third Party Advisory
https://usn.ubuntu.com/4014-2/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*

Configuration 5 (hide)

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

History

07 Nov 2023, 03:03

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/', 'name': 'FEDORA-2019-c18d2bd1bd', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/ -

24 Mar 2023, 18:29

Type	Values Removed	Values Added
CPE		cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:::::::* cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm::: cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:::::::* cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::* cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm::: cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:::::::* cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts::: cpe:2.3:o:redhat:enterprise_linux_eus:8.4:::::::* cpe:2.3:o:opensuse:leap:15.0:::::::* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:8.6:::::::* cpe:2.3:o:fedoraproject:fedora:30:::::::* cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::* cpe:2.3:o:debian:debian_linux:8.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
First Time		Redhat enterprise Linux Eus Fedoraproject Redhat enterprise Linux Redhat Canonical Debian Opensuse leap Canonical ubuntu Linux Redhat enterprise Linux Server Tus Fedoraproject fedora Redhat enterprise Linux Server Aus Debian debian Linux Opensuse
References	~~(UBUNTU) https://usn.ubuntu.com/4014-1/ -~~	(UBUNTU) https://usn.ubuntu.com/4014-1/ - Third Party Advisory
References	~~(SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html -~~	(SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html - Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20190606-0003/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20190606-0003/ - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/ - Mailing List, Third Party Advisory
References	~~(REDHAT) https://access.redhat.com/errata/RHSA-2019:3530 -~~	(REDHAT) https://access.redhat.com/errata/RHSA-2019:3530 - Third Party Advisory
References	~~(UBUNTU) https://usn.ubuntu.com/4014-2/ -~~	(UBUNTU) https://usn.ubuntu.com/4014-2/ - Third Party Advisory

Information

Published : 2019-05-29 17:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-12450

Mitre link : CVE-2019-12450

CVE.ORG link : CVE-2019-12450

JSON object : View

Products Affected

redhat

enterprise_linux_server_tus
enterprise_linux_server_aus
enterprise_linux
enterprise_linux_eus

gnome

glib

opensuse

leap

debian

debian_linux

canonical

ubuntu_linux

fedoraproject

fedora

CWE

CWE-276

Incorrect Default Permissions

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

9.8 /10