CVE-2019-3891

5.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Candlepin
Vendor: CVE Published:; 15 April 2019

Summary

It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates.

Affected Version(s)

candlepin affects Satellite 6.4

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3891

x_refsource_CONFIRM

https://access.redhat.com/errata/RHSA-2019:1222

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2019
Vulnerability Reserved
Jan 3, 2019