CVE-2023-3899 HIGH

CVE-2023-3899: Subscription-manager: inadequate authorization of com.redhat.rhsm1 d-bus interface allows local users to modify configuration

Vendor Red Hat

Product Red Hat Enterprise Linux 6

Weakness CWE-285

Published August 23, 2023

Last update November 20, 2025

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

Key dates

02Disclosure timeline

August 23, 2023 CVE published

November 20, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-3899 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

CVE-2023-3899: Subscription-manager: inadequate authorization of com.redhat.rhsm1 d-bus interface allows local users to modify configuration

01Description

02Disclosure timeline

03References

04Related CVE