CVE-2019-3893 Information

Description

In Foreman it was discovered that the delete compute resource operation when executed from the Foreman API leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \delete_compute_resource\ permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3 1.21.1 1.22.0 are vulnerable.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.openwall.com/lists/oss-security/2019/04/14/2 http://www.securityfocus.com/bid/107846 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 https://github.com/theforeman/foreman/pull/6621 https://projects.theforeman.org/issues/26450

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

4.9