CVE-2019-3893 MEDIUM

CVE-2019-3893

Vendor The Foreman Project
Product foreman
Weakness CWE-732
Published April 9, 2019
Last update August 4, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.

Key dates

02Disclosure timeline

April 9, 2019 CVE published
August 4, 2024 Record updated