CVE-2022-0852
First published: Wed Mar 02 2022(Updated: )
There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Convert2rhel Project Convert2rhel | <0.26 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/oamg/convert2rhel/blob/main/convert2rhel/subscription.py#L156
- https://access.redhat.com/errata/RHSA-2022:1599
- https://access.redhat.com/errata/RHSA-2022:1617
- https://access.redhat.com/errata/RHSA-2022:1618
- https://access.redhat.com/security/cve/cve-2022-0852
- https://bugzilla.redhat.com/show_bug.cgi?id=2060129
- https://access.redhat.com/security/cve/CVE-2022-0852
- https://github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4
- https://github.com/oamg/convert2rhel/pull/492
- https://issues.redhat.com/browse/RHELC-432
Frequently Asked Questions
What is CVE-2022-0852?
CVE-2022-0852 is a vulnerability in convert2rhel that allows unauthorized users to view the Red Hat account password via the process command line.
How does CVE-2022-0852 affect Red Hat Enterprise Linux 6.0?
CVE-2022-0852 affects Red Hat Enterprise Linux 6.0 by allowing unauthorized users to view the Red Hat account password via the process command line.
How does CVE-2022-0852 affect Red Hat Enterprise Linux 7.0?
CVE-2022-0852 affects Red Hat Enterprise Linux 7.0 by allowing unauthorized users to view the Red Hat account password via the process command line.
How does CVE-2022-0852 affect Red Hat Enterprise Linux 8.0?
CVE-2022-0852 affects Red Hat Enterprise Linux 8.0 by allowing unauthorized users to view the Red Hat account password via the process command line.
How severe is CVE-2022-0852?
CVE-2022-0852 has a severity rating of high.
How can I fix CVE-2022-0852?
To fix CVE-2022-0852, update convert2rhel to version 0.26 or later and follow the recommendations provided by Red Hat.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-0852
- agent/author
- agent/severity
- agent/description
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/convert2rhel project
- canonical/convert2rhel project convert2rhel
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0