CVE-2022-1662 — Sensitive Information Exposure in Project Convert2rhel

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 86.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Convert2rhel Project Convert2rhel

Timeline

PublishedJul 14

Latest updateFeb 23

Description

In convert2rhel, there's an ansible playbook named ansible/run-convert2rhel.yml which passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. This could allow unauthorized local users to view the password via the process list while convert2rhel is running. However, this ansible playbook is only an example in the upstream repository and it is not shipped in officially supported versions of convert2rhel.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5convert2rhel_project/convert2rhelconvert2rhel 0.26 Vivi

▶NVDconvert2rhel_project/convert2rhel0.24, 0.25+1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-77gc-239h-cc4p: In convert2rhel, there's an ansible playbook named ansible/run-convert2rhel↗2022-07-15

▶

CVEList

CVE-2022-1662: In convert2rhel, there's an ansible playbook named ansible/run-convert2rhel↗2022-07-14

▶

📋Vendor Advisories

Red Hat

convert2rhel: ansible playbook passes credentials to convert2rhel via CLI↗2022-05-10

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities↗2023-02-23

▶

Talos

Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities↗2023-02-23

▶