In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
                
            References
                    | Link | Resource | 
|---|---|
| http://www.openwall.com/lists/oss-security/2019/04/14/2 | Mailing List Third Party Advisory | 
| http://www.securityfocus.com/bid/107846 | Third Party Advisory VDB Entry | 
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 | Issue Tracking Third Party Advisory | 
| https://github.com/theforeman/foreman/pull/6621 | Third Party Advisory | 
| https://projects.theforeman.org/issues/26450 | Vendor Advisory | 
| http://www.openwall.com/lists/oss-security/2019/04/14/2 | Mailing List Third Party Advisory | 
| http://www.securityfocus.com/bid/107846 | Third Party Advisory VDB Entry | 
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 | Issue Tracking Third Party Advisory | 
| https://github.com/theforeman/foreman/pull/6621 | Third Party Advisory | 
| https://projects.theforeman.org/issues/26450 | Vendor Advisory | 
Configurations
                    History
                    No history.
Information
                Published : 2019-04-09 16:29
Updated : 2024-11-21 04:42
NVD link : CVE-2019-3893
Mitre link : CVE-2019-3893
CVE.ORG link : CVE-2019-3893
JSON object : View
Products Affected
                theforeman
- foreman
redhat
- satellite
CWE
                
                    
                        
                        CWE-732
                        
            Incorrect Permission Assignment for Critical Resource
