CVE-2019-3893

In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
redhatCNA
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
theforemanforeman
1.20.0 ≤
𝑥
< 1.20.3
theforemanforeman
1.21.0 ≤
𝑥
< 1.21.1
redhatsatellite
6.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2019/04/14/2
http://www.securityfocus.com/bid/107846
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893
https://github.com/theforeman/foreman/pull/6621
https://projects.theforeman.org/issues/26450
http://www.openwall.com/lists/oss-security/2019/04/14/2
http://www.securityfocus.com/bid/107846
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893
https://github.com/theforeman/foreman/pull/6621
https://projects.theforeman.org/issues/26450