Database Credential Exposure in Red Hat Satellite by Candlepin Component
CVE-2019-3891

5.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Candlepin
Vendor: CVE Published:; 15 April 2019

Summary

A vulnerability has been identified in the Candlepin component of Red Hat Satellite 6.4 where a world-readable log file exposes sensitive database credentials. This situation can be exploited by a malicious user with local access to the Satellite host, allowing them to modify the database and disrupt the ability to fetch package updates. Consequently, this impacts the update access for all Satellite-managed hosts.

Affected Version(s)

candlepin affects Satellite 6.4

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3891

x_refsource_CONFIRM

https://access.redhat.com/errata/RHSA-2019:1222

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2019
Vulnerability Reserved
Jan 3, 2019