Vulnerability in Novell Suse_lifecycle_management_server

CVE-2013-3709

WebYaST 1.3 uses weak permissions for config/initializers/secret_token.rb, which allows local users to gain privileges by reading the Rails secret token from this file.

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

Affected products

Novell Suse_lifecycle_management_server — versions 1.3
Suse Studio_onsite — versions 1.3
Suse Webyast — versions 1.3
N/a — versions n/a

Weakness classification (CWE)

CWE-264

References

openSUSE-SU-2013:1961 (vendor-advisory, x_refsource_SUSE)
SUSE-SU-2014:0022 (vendor-advisory, x_refsource_SUSE)
openSUSE-SU-2013:1952 (vendor-advisory, x_refsource_SUSE)
openSUSE-SU-2013:1954 (vendor-advisory, x_refsource_SUSE)
cve@mitre.org (x_refsource_MISC)
SUSE-SU-2013:1894 (vendor-advisory, x_refsource_SUSE)
cve@mitre.org (x_refsource_CONFIRM, Exploit)