CVE-2021-3590 — Sensitive Information Exposure in Foreman

CWE-200 — Sensitive Information Exposure CWE-319 — Cleartext Transmission of Sensitive Info5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 62.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman Redhat Satellite

Timeline

PublishedAug 22

Latest updateAug 23

Description

A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5theforeman/foremanAffects foreman-1.6.0 onwards

▶NVDtheforeman/foreman

▶NVDredhat/satellite6.0

🔴Vulnerability Details

GHSA

GHSA-6543-h8cq-cc73: A flaw was found in Foreman project↗2022-08-23

▶

CVEList

CVE-2021-3590: A flaw was found in Foreman project↗2022-08-22

▶

📋Vendor Advisories

Red Hat

foreman: azure compute profile credential leak to authenticated users↗2021-06-08

▶

💬Community

Bugzilla

CVE-2020-14846 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2020)↗2020-10-22

▶