Bulletin (SB10-165)
Vulnerability Summary for the Week of June 7, 2010
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis. |
High Vulnerabilities | ||||
---|---|---|---|---|
Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
hp -- storageworks_storage_mirroring |
Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 before 5.2.1.870.0 allows remote attackers to execute arbitrary code via unknown vectors. | 2010-06-07 | 10.0 | CVE-2010-1962 HP |
Back to top |
Medium Vulnerabilities | ||||
---|---|---|---|---|
Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
emc -- rsa_key_manager_client |
SQL injection vulnerability in EMC RSA Key Manager Client 1.5.x allows user-assisted remote attackers to execute arbitrary SQL commands via the metadata section of encrypted key data. | 2010-06-07 | 6.8 | CVE-2010-1904 BID FULLDISC |
exim -- exim |
transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. | 2010-06-07 | 4.4 | CVE-2010-2023 CONFIRM CONFIRM XF BID CONFIRM SECUNIA MLIST CONFIRM FULLDISC |
hp -- servicecenter |
Cross-site scripting (XSS) vulnerability in HP ServiceCenter allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-06-07 | 4.3 | CVE-2010-1963 HP |
todd_miller -- sudo |
The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable. | 2010-06-07 | 6.2 | CVE-2010-1646 CONFIRM CONFIRM CONFIRM CONFIRM BID OSVDB SECUNIA |
Back to top |
Low Vulnerabilities | ||||
---|---|---|---|---|
Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
redhat -- yum-rhn-plugin |
yum-rhn-plugin in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Enterprise Linux (RHEL) 5 and Fedora uses world-readable permissions for the /var/spool/up2date/loginAuth.pkl file, which allows local users to access the Red Hat Network profile, and possibly prevent future security updates, by leveraging authentication data from this file. | 2010-06-07 | 3.6 | CVE-2010-1439 CONFIRM XF VUPEN BID REDHAT OSVDB SECTRACK SECUNIA |
Back to top |
This product is provided subject to this Notification and this Privacy & Use policy.