Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-0851 (GCVE-0-2022-0851)
Vulnerability from cvelistv5 – Published: 2022-08-29 14:03 – Updated: 2024-08-02 23:40
VLAI?
EPSS
Summary
There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.
Severity ?
No CVSS data available.
CWE
- CWE-200 - - Exposure of Sensitive Information to an Unauthorized Actor.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | convert2rhel |
Affected:
Not-Known
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "convert2rhel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Not-Known"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-29T14:03:05",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0851",
"datePublished": "2022-08-29T14:03:05",
"dateReserved": "2022-03-04T00:00:00",
"dateUpdated": "2024-08-02T23:40:04.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:convert2rhel_project:convert2rhel:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9DEF01A-0870-41A6-A810-E3EA5BA1FA16\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.\"}, {\"lang\": \"es\", \"value\": \"Se presenta un fallo en convert2rhel. Cuando es usada la opci\\u00f3n --activationkey con convert2rhel, la clave de activaci\\u00f3n es pasada posteriormente a subscription-manager por medio de la l\\u00ednea de comandos, lo que podr\\u00eda permitir a usuarios no autorizados localmente en la m\\u00e1quina visualizar la clave de activaci\\u00f3n por medio de la l\\u00ednea de comandos del proceso mediante, por ejemplo, htop o ps. El impacto espec\\u00edfico var\\u00eda seg\\u00fan la suscripci\\u00f3n, pero generalmente esto permitir\\u00eda a un atacante registrar sistemas comprados por la v\\u00edctima hasta que se descubra; una forma de fraude. Esto podr\\u00eda ocurrir independientemente de c\\u00f3mo sea suministrada la clave de activaci\\u00f3n a convert2rhel, ya que implica la forma en que convert2rhel la proporciona a subscription-manager\"}]",
"id": "CVE-2022-0851",
"lastModified": "2024-11-21T06:39:31.643",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
"published": "2022-08-29T15:15:09.973",
"references": "[{\"url\": \"https://access.redhat.com/security/cve/CVE-2022-0851\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2060217\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2022-0851\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2060217\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-0851\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-08-29T15:15:09.973\",\"lastModified\":\"2024-11-21T06:39:31.643\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.\"},{\"lang\":\"es\",\"value\":\"Se presenta un fallo en convert2rhel. Cuando es usada la opci\u00f3n --activationkey con convert2rhel, la clave de activaci\u00f3n es pasada posteriormente a subscription-manager por medio de la l\u00ednea de comandos, lo que podr\u00eda permitir a usuarios no autorizados localmente en la m\u00e1quina visualizar la clave de activaci\u00f3n por medio de la l\u00ednea de comandos del proceso mediante, por ejemplo, htop o ps. El impacto espec\u00edfico var\u00eda seg\u00fan la suscripci\u00f3n, pero generalmente esto permitir\u00eda a un atacante registrar sistemas comprados por la v\u00edctima hasta que se descubra; una forma de fraude. Esto podr\u00eda ocurrir independientemente de c\u00f3mo sea suministrada la clave de activaci\u00f3n a convert2rhel, ya que implica la forma en que convert2rhel la proporciona a subscription-manager\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:convert2rhel_project:convert2rhel:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9DEF01A-0870-41A6-A810-E3EA5BA1FA16\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-0851\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2060217\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-0851\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2060217\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]}]}}"
}
}
RHSA-2022:6268
Vulnerability from csaf_redhat - Published: 2022-08-31 13:03 - Updated: 2025-11-21 18:33Summary
Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
Bug Fix(es):
* Conversion fails due to gnome-documents-libs conflict (BZ#2043724)
* Using dbus API for RHSM registration to safely pass the activation key
* Verifying GPG key for UBI repositories
Deprecation:
* Deprecated `-f|--password-from-file` parameter option
Enhancement(s):
* Checking if a new version of convert2rhel is available
* Warning if multiple authentication sources are specified
* Fixed logging error with unavailable RHSM certificate
* Fixed gnome-documents-libs package conflict
* Fixed handling shim-x64 package protection on non-UEFI systems
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nBug Fix(es):\n\n* Conversion fails due to gnome-documents-libs conflict (BZ#2043724)\n* Using dbus API for RHSM registration to safely pass the activation key \n* Verifying GPG key for UBI repositories\n\nDeprecation:\n\n* Deprecated `-f|--password-from-file` parameter option\n\nEnhancement(s):\n\n* Checking if a new version of convert2rhel is available\n* Warning if multiple authentication sources are specified\n* Fixed logging error with unavailable RHSM certificate\n* Fixed gnome-documents-libs package conflict\n* Fixed handling shim-x64 package protection on non-UEFI systems\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6268",
"url": "https://access.redhat.com/errata/RHSA-2022:6268"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2043724",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043724"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "RHELC-700",
"url": "https://issues.redhat.com/browse/RHELC-700"
},
{
"category": "external",
"summary": "RHELC-701",
"url": "https://issues.redhat.com/browse/RHELC-701"
},
{
"category": "external",
"summary": "RHELC-702",
"url": "https://issues.redhat.com/browse/RHELC-702"
},
{
"category": "external",
"summary": "RHELC-703",
"url": "https://issues.redhat.com/browse/RHELC-703"
},
{
"category": "external",
"summary": "RHELC-704",
"url": "https://issues.redhat.com/browse/RHELC-704"
},
{
"category": "external",
"summary": "RHELC-705",
"url": "https://issues.redhat.com/browse/RHELC-705"
},
{
"category": "external",
"summary": "RHELC-706",
"url": "https://issues.redhat.com/browse/RHELC-706"
},
{
"category": "external",
"summary": "RHELC-707",
"url": "https://issues.redhat.com/browse/RHELC-707"
},
{
"category": "external",
"summary": "RHELC-708",
"url": "https://issues.redhat.com/browse/RHELC-708"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6268.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T18:33:13+00:00",
"generator": {
"date": "2025-11-21T18:33:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:6268",
"initial_release_date": "2022-08-31T13:03:07+00:00",
"revision_history": [
{
"date": "2022-08-31T13:03:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:03:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:33:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-7",
"product": {
"name": "Convert2RHEL for RHEL-7",
"product_id": "7Server-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el7"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el7.src",
"product": {
"name": "convert2rhel-0:1.0-1.el7.src",
"product_id": "convert2rhel-0:1.0-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el7.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el7.noarch",
"product_id": "convert2rhel-0:1.0-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el7.noarch as a component of Convert2RHEL for RHEL-7",
"product_id": "7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el7.noarch",
"relates_to_product_reference": "7Server-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el7.src as a component of Convert2RHEL for RHEL-7",
"product_id": "7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
},
"product_reference": "convert2rhel-0:1.0-1.el7.src",
"relates_to_product_reference": "7Server-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:03:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6268"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
RHSA-2022_6266
Vulnerability from csaf_redhat - Published: 2022-08-31 13:01 - Updated: 2024-11-26 07:54Summary
Red Hat Security Advisory: convert2rhel security update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6266",
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6266.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security update",
"tracking": {
"current_release_date": "2024-11-26T07:54:46+00:00",
"generator": {
"date": "2024-11-26T07:54:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:6266",
"initial_release_date": "2022-08-31T13:01:33+00:00",
"revision_history": [
{
"date": "2022-08-31T13:01:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:01:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-26T07:54:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-6",
"product": {
"name": "Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el6"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el6.src",
"product": {
"name": "convert2rhel-0:1.0-1.el6.src",
"product_id": "convert2rhel-0:1.0-1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el6.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el6.noarch",
"product_id": "convert2rhel-0:1.0-1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el6.noarch as a component of Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el6.noarch",
"relates_to_product_reference": "6Server-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el6.src as a component of Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
},
"product_reference": "convert2rhel-0:1.0-1.el6.src",
"relates_to_product_reference": "6Server-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:01:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
RHSA-2022:6269
Vulnerability from csaf_redhat - Published: 2022-08-31 13:03 - Updated: 2025-11-21 18:33Summary
Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enterprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
Bug Fix(es):
* Using dbus API for RHSM registration to safely pass the activation key
* Verifying GPG key for UBI repositories
Deprecation:
* Deprecated `-f|--password-from-file` parameter option.
Enhancement(s):
* Checking if a new version of convert2rhel is available
* Warning if multiple authentication sources are specified
* Fixed logging error with unavailable RHSM certificate
* Fixed handling shim-x64 package protection on non-UEFI systems
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enterprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nBug Fix(es):\n\n* Using dbus API for RHSM registration to safely pass the activation key \n* Verifying GPG key for UBI repositories\n\nDeprecation:\n\n* Deprecated `-f|--password-from-file` parameter option.\n\nEnhancement(s):\n\n* Checking if a new version of convert2rhel is available\n* Warning if multiple authentication sources are specified\n* Fixed logging error with unavailable RHSM certificate\n* Fixed handling shim-x64 package protection on non-UEFI systems\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6269",
"url": "https://access.redhat.com/errata/RHSA-2022:6269"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "RHELC-126",
"url": "https://issues.redhat.com/browse/RHELC-126"
},
{
"category": "external",
"summary": "RHELC-251",
"url": "https://issues.redhat.com/browse/RHELC-251"
},
{
"category": "external",
"summary": "RHELC-332",
"url": "https://issues.redhat.com/browse/RHELC-332"
},
{
"category": "external",
"summary": "RHELC-367",
"url": "https://issues.redhat.com/browse/RHELC-367"
},
{
"category": "external",
"summary": "RHELC-411",
"url": "https://issues.redhat.com/browse/RHELC-411"
},
{
"category": "external",
"summary": "RHELC-413",
"url": "https://issues.redhat.com/browse/RHELC-413"
},
{
"category": "external",
"summary": "RHELC-45",
"url": "https://issues.redhat.com/browse/RHELC-45"
},
{
"category": "external",
"summary": "RHELC-597",
"url": "https://issues.redhat.com/browse/RHELC-597"
},
{
"category": "external",
"summary": "RHELC-678",
"url": "https://issues.redhat.com/browse/RHELC-678"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6269.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T18:33:14+00:00",
"generator": {
"date": "2025-11-21T18:33:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:6269",
"initial_release_date": "2022-08-31T13:03:30+00:00",
"revision_history": [
{
"date": "2022-08-31T13:03:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:03:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:33:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-8",
"product": {
"name": "Convert2RHEL for RHEL-8",
"product_id": "8Base-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el8"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el8.src",
"product": {
"name": "convert2rhel-0:1.0-1.el8.src",
"product_id": "convert2rhel-0:1.0-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el8.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el8.noarch",
"product_id": "convert2rhel-0:1.0-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el8.noarch as a component of Convert2RHEL for RHEL-8",
"product_id": "8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el8.noarch",
"relates_to_product_reference": "8Base-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el8.src as a component of Convert2RHEL for RHEL-8",
"product_id": "8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
},
"product_reference": "convert2rhel-0:1.0-1.el8.src",
"relates_to_product_reference": "8Base-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:03:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6269"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
RHSA-2022_6268
Vulnerability from csaf_redhat - Published: 2022-08-31 13:03 - Updated: 2024-11-26 07:54Summary
Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
Bug Fix(es):
* Conversion fails due to gnome-documents-libs conflict (BZ#2043724)
* Using dbus API for RHSM registration to safely pass the activation key
* Verifying GPG key for UBI repositories
Deprecation:
* Deprecated `-f|--password-from-file` parameter option
Enhancement(s):
* Checking if a new version of convert2rhel is available
* Warning if multiple authentication sources are specified
* Fixed logging error with unavailable RHSM certificate
* Fixed gnome-documents-libs package conflict
* Fixed handling shim-x64 package protection on non-UEFI systems
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nBug Fix(es):\n\n* Conversion fails due to gnome-documents-libs conflict (BZ#2043724)\n* Using dbus API for RHSM registration to safely pass the activation key \n* Verifying GPG key for UBI repositories\n\nDeprecation:\n\n* Deprecated `-f|--password-from-file` parameter option\n\nEnhancement(s):\n\n* Checking if a new version of convert2rhel is available\n* Warning if multiple authentication sources are specified\n* Fixed logging error with unavailable RHSM certificate\n* Fixed gnome-documents-libs package conflict\n* Fixed handling shim-x64 package protection on non-UEFI systems\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6268",
"url": "https://access.redhat.com/errata/RHSA-2022:6268"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2043724",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043724"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "RHELC-700",
"url": "https://issues.redhat.com/browse/RHELC-700"
},
{
"category": "external",
"summary": "RHELC-701",
"url": "https://issues.redhat.com/browse/RHELC-701"
},
{
"category": "external",
"summary": "RHELC-702",
"url": "https://issues.redhat.com/browse/RHELC-702"
},
{
"category": "external",
"summary": "RHELC-703",
"url": "https://issues.redhat.com/browse/RHELC-703"
},
{
"category": "external",
"summary": "RHELC-704",
"url": "https://issues.redhat.com/browse/RHELC-704"
},
{
"category": "external",
"summary": "RHELC-705",
"url": "https://issues.redhat.com/browse/RHELC-705"
},
{
"category": "external",
"summary": "RHELC-706",
"url": "https://issues.redhat.com/browse/RHELC-706"
},
{
"category": "external",
"summary": "RHELC-707",
"url": "https://issues.redhat.com/browse/RHELC-707"
},
{
"category": "external",
"summary": "RHELC-708",
"url": "https://issues.redhat.com/browse/RHELC-708"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6268.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-26T07:54:37+00:00",
"generator": {
"date": "2024-11-26T07:54:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:6268",
"initial_release_date": "2022-08-31T13:03:07+00:00",
"revision_history": [
{
"date": "2022-08-31T13:03:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:03:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-26T07:54:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-7",
"product": {
"name": "Convert2RHEL for RHEL-7",
"product_id": "7Server-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el7"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el7.src",
"product": {
"name": "convert2rhel-0:1.0-1.el7.src",
"product_id": "convert2rhel-0:1.0-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el7.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el7.noarch",
"product_id": "convert2rhel-0:1.0-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el7.noarch as a component of Convert2RHEL for RHEL-7",
"product_id": "7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el7.noarch",
"relates_to_product_reference": "7Server-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el7.src as a component of Convert2RHEL for RHEL-7",
"product_id": "7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
},
"product_reference": "convert2rhel-0:1.0-1.el7.src",
"relates_to_product_reference": "7Server-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:03:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6268"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.noarch",
"7Server-Convert2RHEL:convert2rhel-0:1.0-1.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
RHSA-2022:6266
Vulnerability from csaf_redhat - Published: 2022-08-31 13:01 - Updated: 2025-11-21 18:33Summary
Red Hat Security Advisory: convert2rhel security update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6266",
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6266.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security update",
"tracking": {
"current_release_date": "2025-11-21T18:33:13+00:00",
"generator": {
"date": "2025-11-21T18:33:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:6266",
"initial_release_date": "2022-08-31T13:01:33+00:00",
"revision_history": [
{
"date": "2022-08-31T13:01:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:01:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:33:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-6",
"product": {
"name": "Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el6"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el6.src",
"product": {
"name": "convert2rhel-0:1.0-1.el6.src",
"product_id": "convert2rhel-0:1.0-1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el6.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el6.noarch",
"product_id": "convert2rhel-0:1.0-1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el6.noarch as a component of Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el6.noarch",
"relates_to_product_reference": "6Server-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el6.src as a component of Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
},
"product_reference": "convert2rhel-0:1.0-1.el6.src",
"relates_to_product_reference": "6Server-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:01:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
RHSA-2022_6269
Vulnerability from csaf_redhat - Published: 2022-08-31 13:03 - Updated: 2024-11-26 07:54Summary
Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enterprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
Bug Fix(es):
* Using dbus API for RHSM registration to safely pass the activation key
* Verifying GPG key for UBI repositories
Deprecation:
* Deprecated `-f|--password-from-file` parameter option.
Enhancement(s):
* Checking if a new version of convert2rhel is available
* Warning if multiple authentication sources are specified
* Fixed logging error with unavailable RHSM certificate
* Fixed handling shim-x64 package protection on non-UEFI systems
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enterprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nBug Fix(es):\n\n* Using dbus API for RHSM registration to safely pass the activation key \n* Verifying GPG key for UBI repositories\n\nDeprecation:\n\n* Deprecated `-f|--password-from-file` parameter option.\n\nEnhancement(s):\n\n* Checking if a new version of convert2rhel is available\n* Warning if multiple authentication sources are specified\n* Fixed logging error with unavailable RHSM certificate\n* Fixed handling shim-x64 package protection on non-UEFI systems\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6269",
"url": "https://access.redhat.com/errata/RHSA-2022:6269"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "RHELC-126",
"url": "https://issues.redhat.com/browse/RHELC-126"
},
{
"category": "external",
"summary": "RHELC-251",
"url": "https://issues.redhat.com/browse/RHELC-251"
},
{
"category": "external",
"summary": "RHELC-332",
"url": "https://issues.redhat.com/browse/RHELC-332"
},
{
"category": "external",
"summary": "RHELC-367",
"url": "https://issues.redhat.com/browse/RHELC-367"
},
{
"category": "external",
"summary": "RHELC-411",
"url": "https://issues.redhat.com/browse/RHELC-411"
},
{
"category": "external",
"summary": "RHELC-413",
"url": "https://issues.redhat.com/browse/RHELC-413"
},
{
"category": "external",
"summary": "RHELC-45",
"url": "https://issues.redhat.com/browse/RHELC-45"
},
{
"category": "external",
"summary": "RHELC-597",
"url": "https://issues.redhat.com/browse/RHELC-597"
},
{
"category": "external",
"summary": "RHELC-678",
"url": "https://issues.redhat.com/browse/RHELC-678"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6269.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-26T07:54:29+00:00",
"generator": {
"date": "2024-11-26T07:54:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:6269",
"initial_release_date": "2022-08-31T13:03:30+00:00",
"revision_history": [
{
"date": "2022-08-31T13:03:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:03:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-26T07:54:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-8",
"product": {
"name": "Convert2RHEL for RHEL-8",
"product_id": "8Base-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el8"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el8.src",
"product": {
"name": "convert2rhel-0:1.0-1.el8.src",
"product_id": "convert2rhel-0:1.0-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el8.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el8.noarch",
"product_id": "convert2rhel-0:1.0-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el8.noarch as a component of Convert2RHEL for RHEL-8",
"product_id": "8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el8.noarch",
"relates_to_product_reference": "8Base-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el8.src as a component of Convert2RHEL for RHEL-8",
"product_id": "8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
},
"product_reference": "convert2rhel-0:1.0-1.el8.src",
"relates_to_product_reference": "8Base-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:03:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6269"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.noarch",
"8Base-Convert2RHEL:convert2rhel-0:1.0-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
FKIE_CVE-2022-0851
Vulnerability from fkie_nvd - Published: 2022-08-29 15:15 - Updated: 2024-11-21 06:39
Severity ?
Summary
There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2022-0851 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2060217 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2022-0851 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2060217 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| convert2rhel_project | convert2rhel | - | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:convert2rhel_project:convert2rhel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F9DEF01A-0870-41A6-A810-E3EA5BA1FA16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager."
},
{
"lang": "es",
"value": "Se presenta un fallo en convert2rhel. Cuando es usada la opci\u00f3n --activationkey con convert2rhel, la clave de activaci\u00f3n es pasada posteriormente a subscription-manager por medio de la l\u00ednea de comandos, lo que podr\u00eda permitir a usuarios no autorizados localmente en la m\u00e1quina visualizar la clave de activaci\u00f3n por medio de la l\u00ednea de comandos del proceso mediante, por ejemplo, htop o ps. El impacto espec\u00edfico var\u00eda seg\u00fan la suscripci\u00f3n, pero generalmente esto permitir\u00eda a un atacante registrar sistemas comprados por la v\u00edctima hasta que se descubra; una forma de fraude. Esto podr\u00eda ocurrir independientemente de c\u00f3mo sea suministrada la clave de activaci\u00f3n a convert2rhel, ya que implica la forma en que convert2rhel la proporciona a subscription-manager"
}
],
"id": "CVE-2022-0851",
"lastModified": "2024-11-21T06:39:31.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-29T15:15:09.973",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
GHSA-959J-7RC3-C387
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-07 00:01
VLAI?
Details
There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.
Severity ?
5.5 (Medium)
{
"affected": [],
"aliases": [
"CVE-2022-0851"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T15:15:00Z",
"severity": "MODERATE"
},
"details": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"id": "GHSA-959j-7rc3-c387",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-08-29T20:06:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:6268"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:6269"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GSD-2022-0851
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-0851",
"description": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"id": "GSD-2022-0851",
"references": [
"https://access.redhat.com/errata/RHSA-2022:6266",
"https://access.redhat.com/errata/RHSA-2022:6268",
"https://access.redhat.com/errata/RHSA-2022:6269"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-0851"
],
"details": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"id": "GSD-2022-0851",
"modified": "2023-12-13T01:19:12.091219Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0851",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "convert2rhel",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Not-Known"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-200",
"lang": "eng",
"value": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"name": "https://access.redhat.com/security/cve/CVE-2022-0851",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:convert2rhel_project:convert2rhel:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0851"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/security/cve/CVE-2022-0851",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217",
"refsource": "MISC",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-02-12T22:15Z",
"publishedDate": "2022-08-29T15:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…