1969258 – (CVE-2021-3590) CVE-2021-3590 foreman: azure compute profile credential leak to authenticated users

Bug 1969258 (CVE-2021-3590) - CVE-2021-3590 foreman: azure compute profile credential leak to authenticated users

Summary: CVE-2021-3590 foreman: azure compute profile credential leak to authenticated...

Keywords:
Status:	NEW
Alias:	CVE-2021-3590
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1969259
Blocks:	1958870 1969838
TreeView+	depends on / blocked

Reported:	2021-06-08 05:25 UTC by Yadnyawalk Tale
Modified:	2023-07-07 08:28 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Yadnyawalk Tale 2021-06-08 05:25:50 UTC

A credential leak vulnerability was found in Foreman through Azure Compute Profile. This flaw exposes the compute profile credentials to the all authenticated users with "view_compute_profiles" permission.

Comment 3 Yadnyawalk Tale 2021-06-08 10:40:53 UTC

The foreman introduces compute profiles v2 API foreman-1.6.0 onward.
https://github.com/theforeman/foreman/commit/10ac97b0d91a2ef9769cc00d3ddf95e2b50ee545

Note You need to log in before you can comment on or make changes to this bug.