When the redfish plugin automatically creates an OPERATOR user account on the BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it is chmod'ed to 0660 before writing the file with g_key_file_save_to_file(). The GLib in RHEL 9 versions instead calls g_file_set_contents_full() with the mode hardcoded to 0666, which undoes the previous chmod().
Upstream fix: https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2487 https://access.redhat.com/errata/RHSA-2023:2487
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3287
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7189 https://access.redhat.com/errata/RHSA-2023:7189
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1106 https://access.redhat.com/errata/RHSA-2024:1106
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1403 https://access.redhat.com/errata/RHSA-2024:1403