CVE-2019-3891 MEDIUM

CVE-2019-3891

Vendor Red Hat
Product candlepin
Weakness CWE-532 · Sensitive info in logs
Published April 12, 2019
Last update August 4, 2024

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates.

Key dates

02Disclosure timeline

April 12, 2019 CVE published
August 4, 2024 Record updated