Vulnerability Description
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Theforeman | Foreman | >= 1.20.0, < 1.20.3 |
| Redhat | Satellite | 6.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2019/04/14/2Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/107846Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893Issue TrackingThird Party Advisory
- https://github.com/theforeman/foreman/pull/6621Third Party Advisory
- https://projects.theforeman.org/issues/26450Vendor Advisory
- http://www.openwall.com/lists/oss-security/2019/04/14/2Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/107846Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893Issue TrackingThird Party Advisory
- https://github.com/theforeman/foreman/pull/6621Third Party Advisory
- https://projects.theforeman.org/issues/26450Vendor Advisory
FAQ
What is CVE-2019-3893?
CVE-2019-3893 is a vulnerability with a CVSS score of 4.9 (MEDIUM). In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resourc...
How severe is CVE-2019-3893?
CVE-2019-3893 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3893?
Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Foreman, Redhat Satellite.