Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-0851

There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.

Published

2022-08-29T15:15:09.973

Last Modified

2024-11-21T06:39:31.643

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-200
Type: Secondary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	convert2rhel_project	convert2rhel	-	Yes
Operating System	redhat	enterprise_linux	7.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes

References

https://access.redhat.com/security/cve/CVE-2022-0851 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2060217 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://access.redhat.com/security/cve/CVE-2022-0851 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=2060217 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)