CVE-2019-3891 — HIGH (7.8) — White Hats Nepal

Vulnerability Description

It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Satellite	6.4

Related Weaknesses (CWE)

CWE-532

References

https://access.redhat.com/errata/RHSA-2019:1222Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3891ExploitIssue TrackingMitigation
https://access.redhat.com/errata/RHSA-2019:1222Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3891ExploitIssue TrackingMitigation

FAQ

What is CVE-2019-3891?

CVE-2019-3891 is a vulnerability with a CVSS score of 7.8 (HIGH). It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Sat...

How severe is CVE-2019-3891?

CVE-2019-3891 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-3891?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Satellite.