CVE-2018-20105

low-risk

Published 2020-01-27

A Inclusion of Sensitive Information in Log Files vulnerability in yast2-rmt of SUSE Linux Enterprise Server 15; openSUSE Leap allows local attackers to learn the password if they can access the log file. This issue affects: SUSE Linux Enterprise Server 15 yast2-rmt versions prior to 1.2.2. openSUSE Leap yast2-rmt versions prior to 1.2.2.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.0/10 Medium

LOCAL / LOW complexity

Affected Products (3)

Yast2-Rmt

Leap

Suse Linux Enterprise Server

Affected Vendors

Suse Opensuse Yast2-Rmt Project

References (6)

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00035.html

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00015.html

https://bugzilla.suse.com/show_bug.cgi?id=1119835

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00035.html

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00015.html

https://bugzilla.suse.com/show_bug.cgi?id=1119835

/ 100

low-risk

Severity 14/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 9/34 · Low