In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2019/04/14/2 | Mailing List Third Party Advisory |
http://www.securityfocus.com/bid/107846 | Third Party Advisory VDB Entry |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 | Issue Tracking Third Party Advisory |
https://github.com/theforeman/foreman/pull/6621 | Third Party Advisory |
https://projects.theforeman.org/issues/26450 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2019-04-09T15:17:14
Updated: 2020-12-04T18:00:59
Reserved: 2019-01-03T00:00:00
Link: CVE-2019-3893
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-04-09T16:29:02.037
Modified: 2022-11-30T22:00:51.447
Link: CVE-2019-3893
JSON object: View
Redhat Information
No data.
CWE