4.9
CVE-2019-3893
- EPSS 1.28%
- Published 09.04.2019 16:29:02
- Last modified 21.11.2024 04:42:48
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
Data is provided by the National Vulnerability Database (NVD)
Theforeman ≫ Foreman Version >= 1.20.0 < 1.20.3
Theforeman ≫ Foreman Version >= 1.21.0 < 1.21.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.28% | 0.787 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.9 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| secalert@redhat.com | 4.9 | 1.2 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
|
CWE-732 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.