Headline
CVE-2019-3893: Bug #26450: CVE-2019-3893: Compute resource delete via api returns password in plaintext
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the “delete_compute_resource” permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.
Issues
- View all issues
- Summary
Custom queries
- 3.3.1 release DONE
- 3.3.1 release TODO
- 3.4.1 release DONE
- 3.4.1 release TODO
- 3.5.0 release TODO
- All bugs by votes
- All issues closed in the last 3 weeks
- Easy and Trivial Issues
- Easy Issues (only)
- Good first issues - Foreman core
- high prio open bugs
- Host registration [open]
- Mine
- My issues closed in the last 3 weeks
- old bugs
- Open with target version set (aka blockers)
- registration
- taken-none
- Team Atlas untriaged bugs
- templates
- Trivial Issues
- Untriaged and opened in the past two weeks
CVE-2019-3893: Compute resource delete via api returns password in plaintext
Added by Tomer Brisker over 3 years ago. Updated over 3 years ago.
Status:
Closed
Priority:
Normal
Assignee:
Shira Maximov
Category:
Compute resources
Target version:
1.21.1
Difficulty:
Triaged:
No
Bugzilla link:
1692644
Pull request:
https://github.com/theforeman/foreman/pull/6621
Fixed in Releases:
1.20.3, 1.21.1, 1.22.0
Found in Releases:
Red Hat JIRA:
Associated revisions
Revision 12174920 (diff)
Added by Shira Maximov over 3 years ago
Fixes #26450 - add destroy rabl for compute resource
History
#1 Updated by Tomer Brisker over 3 years ago
- Target version set to 1.21.1
#2 Updated by Tomer Brisker over 3 years ago
- Private changed from Yes to No
This can be worked around by not granting “destroy_compute_resource” permissions to users that should not know the password.
#3 Updated by The Foreman Bot over 3 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/6621 added
#4 Updated by Tomer Brisker over 3 years ago
- Fixed in Releases 1.20.3, 1.21.1, 1.22.0 added
#5 Updated by Shira Maximov over 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 12174920f9df7803060f8b2be9fdf3c250ab4291.
#6 Updated by Tomer Brisker over 3 years ago
- Assignee set to Shira Maximov
#7 Updated by Tomer Brisker over 3 years ago
- Subject changed from Compute resource delete via api returns password in plaintext to CVE-2019-3893: Compute resource delete via api returns password in plaintext
Also available in: Atom PDF
Related news
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.