CVE-2019-7307 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-7307 Interim 1 21 2025-11-05T03:10:42Z current 2021-05-30T14:24:21Z 2025-11-05T03:10:42Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-7307 Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report. The crash report could then be read by that user either by causing it to be uploaded and reported to Launchpad, or by leveraging some other vulnerability to read the resulting crash report, and so allow the user to read arbitrary files on the system. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP1-TERADATA SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 LTSS apport-0.114-12.8.6.1 apport-crashdb-sle apport-crashdb-sle-0.114-0.8.6.1 apport-gtk-0.114-12.8.6.1 apport-0.114-12.8.6.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA apport-crashdb-sle-0.114-0.8.6.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA apport-gtk-0.114-12.8.6.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA apport-0.114-12.8.6.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA apport-crashdb-sle-0.114-0.8.6.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA apport-gtk-0.114-12.8.6.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA apport-crashdb-sle as a component of SUSE Linux Enterprise Server 11 SP4 LTSS Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report. The crash report could then be read by that user either by causing it to be uploaded and reported to Launchpad, or by leveraging some other vulnerability to read the resulting crash report, and so allow the user to read arbitrary files on the system. CVE-2019-7307 SUSE Linux Enterprise Server 11 SP1-TERADATA:apport-0.114-12.8.6.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:apport-crashdb-sle-0.114-0.8.6.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:apport-gtk-0.114-12.8.6.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:apport-0.114-12.8.6.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:apport-crashdb-sle-0.114-0.8.6.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:apport-gtk-0.114-12.8.6.1 low 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N