CVE-2019-10198 — DEPRECATED: Authentication Bypass Issues in Foreman-tasks

CWE-592 — DEPRECATED: Authentication Bypass Issues CWE-306 — Missing Authentication for Critical Function CWE-287 — Improper Authentication5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

1.4%

top 19.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman-tasks THE Foreman Project Foreman-tasks Redhat Satellite

Timeline

PublishedJul 31

Latest updateMay 24

Description

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDtheforeman/foreman-tasks< 0.15.7

▶CVEListV5the_foreman_project/foreman-tasks0.15.7

▶NVDredhat/satellite6.6

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-gq5x-r3g9-ch4f: An authentication bypass vulnerability was discovered in foreman-tasks before 0↗2022-05-24

▶

CVEList

CVE-2019-10198: An authentication bypass vulnerability was discovered in foreman-tasks before 0↗2019-07-31

▶

📋Vendor Advisories

Red Hat

foreman: authorization bypasses in foreman-tasks leading to information disclosure↗2019-07-12

▶

💬Community

Bugzilla

CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure↗2019-07-11

▶