CVE-2019-3893

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-3893

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-3893.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-3893

Related

RHSA-2019:3172

Published

2019-04-09T16:29:02Z

Modified

2024-10-12T05:15:46.435056Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "deletecomputeresource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.

References

Affected packages

Git / github.com/theforeman/foreman

Affected ranges

Type: GIT
Repo: https://github.com/theforeman/foreman
Events: Introduced

0566ac2edfdf525c0a06cb3106f70435210607aa

Fixed

966428d66bff571a08f31cd7cbcf98ebfea46ed8

Type: GIT
Repo: https://github.com/theforeman/foreman-installer
Events: Introduced

685203a6e89a95487d7a6f7209782796ef83ea1b

Fixed

88dcc8b25480e2d24eb383de213102aed10e9917

Type: GIT
Repo: https://github.com/theforeman/smart-proxy
Events: Introduced

0220a2581b5c0465bd206b12e015b91048671bb7

Fixed

60028ea39a5c4477c7ece7ace4f7b9c40b706446

Affected versions

1.*

1.20.0

1.20.1

1.20.2