CVE-2018-1000135

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2018-1000135 OPENSUSE-SU-2019:1494-1 OPENSUSE-SU-2024:10602-1 RHBA-2018:3207 SUSE-SU-2019:1369-1 UBUNTU-CVE-2018-1000135

Modified

Published: 20 Mar 2018, 13:00

Last modified:05 Aug 2024, 12:33

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.0 (nvd)

EPSS Score

1.11% LOW

1% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

20 Mar 2018, 13:00

Published

Vulnerability first disclosed

05 Aug 2024, 12:33

Last Modified

Vulnerability information updated

Description

GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN. This vulnerability appears to have been fixed in Some Ubuntu 16.04 packages were fixed, but later updates removed the fix. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 an upstream fix does not appear to be available at this time.

CVSS Metrics

v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.11%• Percentile: 79%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

canonical•ubuntu_linux
16.04
gnome•networkmanager
≤ 1.10.2