CVE-2022-0851Sensitive Information Exposure in Project Convert2rhel

CWE-200Sensitive Information ExposureCWE-212Improper Removal of Sensitive Information Before Storage or Transfer4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 69.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Convert2rhel Project Convert2rhelRedhat Enterprise Linux
Timeline
PublishedAug 29

Description

There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

Also affects: Enterprise Linux 7.0, 8.0

🔴Vulnerability Details

2
CVEList
CVE-2022-0851: There is a flaw in convert2rhel2022-08-29
GHSA
GHSA-959j-7rc3-c387: There is a flaw in convert2rhel2022-08-29

📋Vendor Advisories

1
Red Hat
convert2rhel: Activation key passed via command line by code2022-04-26
CVE-2022-0851 — Sensitive Information Exposure | cvebase