1696400 – (CVE-2019-3893) CVE-2019-3893 foreman: Recover of plaintext password or token for the compute resources

Bug 1696400 (CVE-2019-3893) - CVE-2019-3893 foreman: Recover of plaintext password or token for the compute resources

Summary: CVE-2019-3893 foreman: Recover of plaintext password or token for the compute...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3893
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1692644
Blocks:	1693171
TreeView+	depends on / blocked

Reported:	2019-04-04 18:51 UTC by Pedro Sampaio
Modified:	2021-12-14 18:47 UTC (History)
CC List:	11 users (show)
Fixed In Version:	foreman 1.20.3, foreman 1.21.1, foreman 1.22.0
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman.
Clone Of:
Environment:
Last Closed:	2020-04-21 11:54:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-04-04 18:51:45 UTC

A flaw was found in Foreman. The issue allows an identified user with "delete compute resource" permission to recover plaintext password or token for the compute resource.

Upstream issue:

https://projects.theforeman.org/issues/26450

Upstream patch:

https://github.com/theforeman/foreman/pull/6621

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1692644

Comment 1 Pedro Sampaio 2019-04-04 18:51:48 UTC

Acknowledgments:

Name: Vatsal Parekh (Red Hat)

Comment 5 Richard Maciel Costa 2019-04-09 02:43:04 UTC

Mitigation:

Do not grant the "destroy_compute_resource" permission to users that should not know the password.

Comment 8 Yadnyawalk Tale 2020-04-21 11:54:15 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.6 for RHEL 7

Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172

Note You need to log in before you can comment on or make changes to this bug.