Vulnerability CVE-2019-3893


Published: 2019-04-09

Description:
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Theforeman -> Foreman 
Redhat -> Satellite 

 References:
http://www.openwall.com/lists/oss-security/2019/04/14/2
http://www.securityfocus.com/bid/107846
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893
https://github.com/theforeman/foreman/pull/6621
https://projects.theforeman.org/issues/26450

Copyright 2024, cxsecurity.com

 

Back to Top