Unauthorized Credential Disclosure in Foreman by The Foreman Project
CVE-2018-1097

8.8HIGH

Key Information:

Vendor

Foreman Project

Status
Foreman
Vendor
CVE Published:
4 April 2018

What is CVE-2018-1097?

A security flaw in Foreman versions before 1.16.1 has been identified, which allows users with limited permission to power oVirt/RHV hosts on and off to inadvertently expose sensitive credentials. This vulnerability enables unauthorized access to the usernames and passwords used to connect to the compute resources, increasing the risk of further exploitation if left unpatched.

Affected Version(s)

foreman before 1.16.1

References

https://github.com/theforeman/foreman/pull/5369
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=1561723
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2927
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.