Bug 1858284 (CVE-2020-14334)
Summary: | CVE-2020-14334 foreman: unauthorized cache read on RPM-based installations through local user | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Yadnyawalk Tale <ytale> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, btotty, ekohlvan, hhudgeon, lzap, mmccune, mzalewsk, nmoumoul, oezr, rchan, rjerrido, security-response-team, sokeeffe |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Red Hat Satellite. An attacker could gain access to cache files further allowing access to cached credentials that could help the attacker to gain complete control of the Satellite instance. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-30 20:21:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1858305, 1858306, 1858307, 1858308 | ||
Bug Blocks: | 1857656 |
Description
Yadnyawalk Tale
2020-07-17 12:15:09 UTC
Mitigation: This flaw can be mitigated by manually changing the directory permissions to remove readable bits for the others: # chmod 0750 /run/foreman Acknowledgments: Name: Foreman project Upstream: Ewoud Kohl van Wijngaarden (Red Hat) Please ignore comment 5 and comment 6 as these were meant for https://bugzilla.redhat.com/show_bug.cgi?id=1858302 This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 7 Via RHSA-2020:4127 https://access.redhat.com/errata/RHSA-2020:4127 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14334 This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366 |