{
  "threat_severity" : "Low",
  "public_date" : "2019-08-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: information leak bug caused  by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c",
    "id" : "1783534",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1783534"
  },
  "cvss3" : {
    "cvss3_base_score" : "2.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-772->CWE-200",
  "details" : [ "In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.", "An information leak flaw was found in the Linux kernel's USB digital video device driver. An attacker with a malicious USB device presenting itself as a 'Technotrend/Hauppauge USB DEC' device is able to issue commands to this specific device and leak kernel internal memory information.  The highest threat from this vulnerability is a breach of data confidentiality." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4609",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-240.rt7.54.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4431",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-240.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-alt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-19533\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19533" ],
  "name" : "CVE-2019-19533",
  "mitigation" : {
    "value" : "As the ttusb_dec module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:\n# echo \"install ttusb_dec /bin/true\" >> /etc/modprobe.d/disable-cifs.conf \nThe system will need to be restarted if the ttusb_dec module is already loaded. In most circumstances, the CIFS kernel module will be unable to be unloaded while the device is in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.",
    "lang" : "en:us"
  },
  "csaw" : false
}