github - ghsa-xfjc-qf4h-hwgq

ghsa-xfjc-qf4h-hwgq

Vulnerability from github

Published

2022-05-13 01:12

Modified

2022-05-13 01:12

Severity

4.9 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-09T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \"delete_compute_resource\" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.",
  "id": "GHSA-xfjc-qf4h-hwgq",
  "modified": "2022-05-13T01:12:23Z",
  "published": "2022-05-13T01:12:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3893"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theforeman/foreman/pull/6621"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893"
    },
    {
      "type": "WEB",
      "url": "https://projects.theforeman.org/issues/26450"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/04/14/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107846"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2019-3893

Vulnerability from cvelistv5

Published

2019-04-09 15:17

Modified

2024-08-04 19:19

Severity

4.9 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.

References

URL	Tags
http://www.securityfocus.com/bid/107846	vdb-entry, x_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/14/2	mailing-list, x_refsource_MLIST
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893	x_refsource_CONFIRM
https://projects.theforeman.org/issues/26450	x_refsource_MISC
https://github.com/theforeman/foreman/pull/6621	x_refsource_MISC

Impacted products

Vendor	Product
The Foreman Project	foreman

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.608Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107846",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107846"
          },
          {
            "name": "[oss-security] 20190414 CVE-2019-3893: Foreman: Compute resource credentials exposed during deletion on API",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/04/14/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://projects.theforeman.org/issues/26450"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/theforeman/foreman/pull/6621"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "foreman",
          "vendor": "The Foreman Project",
          "versions": [
            {
              "status": "affected",
              "version": "1.20.3"
            },
            {
              "status": "affected",
              "version": "1.21.1"
            },
            {
              "status": "affected",
              "version": "1.22.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \"delete_compute_resource\" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-04T18:00:59",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "107846",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107846"
        },
        {
          "name": "[oss-security] 20190414 CVE-2019-3893: Foreman: Compute resource credentials exposed during deletion on API",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/04/14/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://projects.theforeman.org/issues/26450"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/theforeman/foreman/pull/6621"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-3893",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "foreman",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.20.3"
                          },
                          {
                            "version_value": "1.21.1"
                          },
                          {
                            "version_value": "1.22.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The Foreman Project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \"delete_compute_resource\" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.9/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-732"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107846",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107846"
            },
            {
              "name": "[oss-security] 20190414 CVE-2019-3893: Foreman: Compute resource credentials exposed during deletion on API",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/04/14/2"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893"
            },
            {
              "name": "https://projects.theforeman.org/issues/26450",
              "refsource": "MISC",
              "url": "https://projects.theforeman.org/issues/26450"
            },
            {
              "name": "https://github.com/theforeman/foreman/pull/6621",
              "refsource": "MISC",
              "url": "https://github.com/theforeman/foreman/pull/6621"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3893",
    "datePublished": "2019-04-09T15:17:14",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-08-04T19:19:18.608Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.