Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-3893

In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.

Published

2019-04-09T16:29:02.037

Last Modified

2024-11-21T04:42:48.757

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-732
Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	theforeman	foreman	< 1.20.3	Yes
Application	theforeman	foreman	< 1.21.1	Yes
Application	redhat	satellite	6.0	Yes

References

http://www.openwall.com/lists/oss-security/2019/04/14/2 Mailing List, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/107846 Third Party Advisory, VDB Entry ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/theforeman/foreman/pull/6621 Third Party Advisory ([email protected])
https://projects.theforeman.org/issues/26450 Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2019/04/14/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/107846 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/theforeman/foreman/pull/6621 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://projects.theforeman.org/issues/26450 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)