VDB
CVE-2019-3893
CVE-2019-3893
PUBLISHED
CVSS 4.9 MEDIUM
Reported by redhat · Published April 9, 2019
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
Risk Scores
CVSS 3.0
4.9
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| The Foreman Project | foreman | 1.20.3, 1.21.1, 1.22.0 |
| The Foreman Project | foreman | 1.20.3, 1.21.1, 1.22.0 |
Timeline
- Apr 9, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- 107846 vdb-entryx_refsource_BID
- [oss-security] 20190414 CVE-2019-3893: Foreman: Compute resource credentials exposed during deletion on API mailing-listx_refsource_MLIST
- x_refsource_CONFIRM
- x_refsource_MISC
- x_refsource_MISC