Note:
This project will be discontinued after December 13, 2021. [more]
2020-06-18
In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by looking at the process list when a data upload is being performed. This license can be used to upload data to a central Lynis server. Although no data can be extracted by knowing the license key, it may be possible to upload the data of additional scans.
| Products | Lynis, Debian_linux, Fedora |
| Type | Information Exposure (CWE-200) |
| First patch | - None (likely due to unavailable code) |
| Links |
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBFHIX6RTHCK37FXMAAXP4KGAMLUFDUD/
• https://cisofy.com/security/cve/cve-2019-13033/ • https://lists.debian.org/debian-lts-announce/2020/06/msg00024.html • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDCHEKNR3HPJRNHE5PYKFH5GNBADTPA7/ |