CVE-2019-25067

[eslerm]

Was podman contacted about CVE assignment CVE-2019-25067 [0]? Do you agree with this assignment?

My hunch is that a CNA assigned this CVE based on an entry in exploit-db [1]. I didn't look closely, but this exploit mentions several vulnerabilities which may have already been addressed, such as CVE-2019-10152 [2].

[0] https://nvd.nist.gov/vuln/detail/CVE-2019-25067
[1] https://www.exploit-db.com/exploits/47500
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-10152

[rhatdan]

Podman has not used varlink for many years.

[eslerm]

Thanks @rhatdan

@marcruef please consider disputing or rejecting the CVE VulDB assigned.

[marcruef]

Thanks for the feedback. We are happy to update the CVE entry as quickly as possible.

Yes, the assignment was based on the disclosure of https://www.exploit-db.com/exploits/47500

It mentions to have been tested on version 1.5.1 which was released in August 2019: https://github.com/containers/podman/releases/tag/v1.5.1

To me it is unclear whether CVE-2019-25067 is a duplicate of CVE-2019-10152 or if it is a false-positive at all.

[eslerm]

Since VulDB assigned and wrote the description for CVE-2019-25067, is VulDB able to determine if it duplicates CVE-2019-10152 (and possibly other CVEs)?

Can your CNA determine the "unknown part of the component API" mentioned in CVE-2019-25067?

CVE-2019-25067: A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affects an unknown part of the component API. The manipulation leads to Privilege Escalation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.