CVE-2019-3893
foreman: Recover of plaintext password or token for the compute resources
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
En Foreman se descubrió que la operación de eliminar recursos de cálculo, cuando se ejecuta desde la API de Foreman, conduce a la revelación de la contraseña de texto plano o token para el recurso de cálculo afectado. Un usuario malicioso con el permiso "delete_compute_resource" puede utilizar este fallo para tomar el control de los recursos de cálculo gestionados por Foreman. Las versiones anteriores a 1.20.3, 1.21.1, 1.22.0 son vulnerables.
It was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-03 CVE Reserved
- 2019-04-09 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2019/04/14/2 | Mailing List | |
http://www.securityfocus.com/bid/107846 | Third Party Advisory | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 | Issue Tracking | |
https://github.com/theforeman/foreman/pull/6621 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://projects.theforeman.org/issues/26450 | 2022-11-30 | |
https://access.redhat.com/security/cve/CVE-2019-3893 | 2019-10-22 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1696400 | 2019-10-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Theforeman Search vendor "Theforeman" | Foreman Search vendor "Theforeman" for product "Foreman" | >= 1.20.0 < 1.20.3 Search vendor "Theforeman" for product "Foreman" and version " >= 1.20.0 < 1.20.3" | - |
Affected
| ||||||
Theforeman Search vendor "Theforeman" | Foreman Search vendor "Theforeman" for product "Foreman" | >= 1.21.0 < 1.21.1 Search vendor "Theforeman" for product "Foreman" and version " >= 1.21.0 < 1.21.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Satellite Search vendor "Redhat" for product "Satellite" | 6.0 Search vendor "Redhat" for product "Satellite" and version "6.0" | - |
Affected
|