CVE-2022-0852Exposure of Private Personal Information to an Unauthorized Actor in Project Convert2rhel

CWE-359Exposure of Private Personal Information to an Unauthorized ActorCWE-668Resource Exposure4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 63.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Convert2rhel Project Convert2rhelRedhat Enterprise Linux
Timeline
PublishedAug 29

Description

There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5convert2rhel_project/convert2rhelFixed in v0.26.

Also affects: Enterprise Linux 6.0, 7.0, 8.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
CVE-2022-0852: There is a flaw in convert2rhel2022-08-29
GHSA
GHSA-fjvj-w876-8mc2: There is a flaw in convert2rhel2022-08-29

📋Vendor Advisories

1
Red Hat
convert2rhel: Red Hat account password passed via command line by code2022-04-26
CVE-2022-0852 — Project Convert2rhel vulnerability | cvebase