First published: Tue Apr 09 2019(Updated: )
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Theforeman Foreman | >=1.20.0<1.20.3 | |
Theforeman Foreman | >=1.21.0<1.21.1 | |
Redhat Satellite | =6.0 | |
>=1.20.0<1.20.3 | ||
>=1.21.0<1.21.1 | ||
=6.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3893 is a vulnerability in Foreman that allows the disclosure of plaintext passwords or tokens when deleting a compute resource from the Foreman API.
CVE-2019-3893 allows a malicious user with the 'delete_compute_resource' permission to obtain plaintext passwords or tokens of affected compute resources.
Versions 1.20.0 to 1.20.3 and versions 1.21.0 to 1.21.1 of Foreman, as well as Redhat Satellite version 6.0, are affected by CVE-2019-3893.
CVE-2019-3893 has a severity rating of 4.9 out of 10, which is considered medium.
To mitigate CVE-2019-3893, it is recommended to apply the necessary patches or updates provided by Foreman or Redhat Satellite.