Vulnerabilites related to redhat - cfme-gemset
Vulnerability from fkie_nvd
Published
2019-06-14 14:29
Modified
2024-11-21 04:18
Summary
cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available.
Impacted products
Vendor Product Version
redhat cfme-gemset *
redhat cfme-gemset *
redhat cloudforms 4.7



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:redhat:cfme-gemset:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A7FD6A58-0D10-4A4C-83DD-0BC2F0234E7B",
                     versionEndIncluding: "5.9.9.3",
                     versionStartIncluding: "5.9.0.22",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:redhat:cfme-gemset:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "65E764BE-FAC3-444E-B187-2D798BEF4DA1",
                     versionEndIncluding: "5.10.4.3",
                     versionStartIncluding: "5.10.0.33",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*",
                     matchCriteriaId: "04AC556D-D511-4C4C-B9FB-A089BB2FEFD5",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available.",
      },
      {
         lang: "es",
         value: "cfme-gemset versión 5.10.4.3 y anteriores, versión 5.9.9.3 y anteriores son vulnerables a un filtrado de datos, debido a una autorización inapropiada en el controlador del registro de migración. Un atacante con acceso a un usuario sin privilegios puede ingresar a todos los registros de migración VM disponibles.",
      },
   ],
   id: "CVE-2019-10159",
   lastModified: "2024-11-21T04:18:32.573",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 4,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV30: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.0",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "secalert@redhat.com",
            type: "Secondary",
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-06-14T14:29:00.407",
   references: [
      {
         source: "secalert@redhat.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/errata/RHSA-2019:2466",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/errata/RHSA-2019:2466",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-285",
            },
         ],
         source: "secalert@redhat.com",
         type: "Primary",
      },
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-Other",
            },
         ],
         source: "nvd@nist.gov",
         type: "Secondary",
      },
   ],
}

cve-2019-10159
Vulnerability from cvelistv5
Published
2019-06-14 13:53
Modified
2024-08-04 22:10
Summary
cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available.
References
Impacted products
Vendor Product Version
Red Hat cfme Version: 5.10.4.3 and below, 5.9.9.3 and below
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T22:10:09.973Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159",
               },
               {
                  name: "RHSA-2019:2466",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2019:2466",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "cfme",
               vendor: "Red Hat",
               versions: [
                  {
                     status: "affected",
                     version: "5.10.4.3 and below, 5.9.9.3 and below",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-285",
                     description: "CWE-285",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-08-13T13:06:06",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159",
            },
            {
               name: "RHSA-2019:2466",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2019:2466",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2019-10159",
      datePublished: "2019-06-14T13:53:19",
      dateReserved: "2019-03-27T00:00:00",
      dateUpdated: "2024-08-04T22:10:09.973Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}