CVE-2019-10198

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
redhatCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
VendorProductVersion
theforemanforeman-tasks
𝑥
< 0.15.7
redhatsatellite
6.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:3172
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10198
https://projects.theforeman.org/issues/27275
https://access.redhat.com/errata/RHSA-2019:3172
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10198
https://projects.theforeman.org/issues/27275