CVE-2019-19947 — MEDIUM (4.6)

Q: What is CVE-2019-19947?

CVE-2019-19947 is a vulnerability with a CVSS score of 4.6 (MEDIUM). In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.

Q: How severe is CVE-2019-19947?

CVE-2019-19947 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-19947?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Active Iq Unified Manager, Netapp Cloud Backup.

Vulnerability Description

In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	<= 5.4.6
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Netapp	Active Iq Unified Manager	-
Netapp	Cloud Backup	-
Netapp	Data Availability Services	-
Netapp	E-Series Santricity Os Controller	>= 11.0, <= 11.70.2
Netapp	Fas\/Aff Baseboard Management Controller	-
Netapp	Hci Baseboard Management Controller	h610s
Netapp	Solidfire \& Hci Management Node	-
Netapp	Steelstore Cloud Integrated Storage	-
Netapp	Aff Baseboard Management Controller	a700s
Netapp	Solidfire Baseboard Management Controller	-

Related Weaknesses (CWE)

CWE-908

References

http://www.openwall.com/lists/oss-security/2019/12/24/1Mailing ListThird Party Advisory
https://github.com/torvalds/linux/commit/da2311a6385c3b499da2ed5d9be59ce331fa93ePatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00013.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00001.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200204-0002/Third Party Advisory
https://usn.ubuntu.com/4284-1/Third Party Advisory
https://usn.ubuntu.com/4285-1/Third Party Advisory
https://usn.ubuntu.com/4427-1/Third Party Advisory
https://usn.ubuntu.com/4485-1/Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/24/1Mailing ListThird Party Advisory
https://github.com/torvalds/linux/commit/da2311a6385c3b499da2ed5d9be59ce331fa93ePatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00013.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00001.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200204-0002/Third Party Advisory
https://usn.ubuntu.com/4284-1/Third Party Advisory

FAQ

What is CVE-2019-19947?

CVE-2019-19947 is a vulnerability with a CVSS score of 4.6 (MEDIUM). In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.

How severe is CVE-2019-19947?

CVE-2019-19947 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-19947?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Active Iq Unified Manager, Netapp Cloud Backup.