Uyuni server attestation service exposed database password
CVE-2024-22037

5.5MEDIUM

Key Information:

Vendor
Suse
Status
Suse Manager Server 5.0
Vendor
CVE Published:
28 November 2024

Summary

The uyuni-server-attestation systemd service has a significant security flaw related to its database password configuration. Specifically, it relies on an environment variable that is not properly secured. The associated file has permissions set to 640, limiting access to privileged users. However, the environment variable is still visible to non-privileged users through the systemd service management, leading to potential credential exposure. Organizations utilizing the Uyuni Server are urged to review their security configurations to mitigate risks associated with this exposure.

Affected Version(s)

SUSE Manager Server 5.0 ? < 0.1.26-150500.3.12.2

SUSE Manager Server 5.0 ? < 0.1.26-150500.3.12.2

SUSE Manager Server 5.0 ? < 0.1.26-150500.3.12.2

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22037

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cédric Bosdonnat of SUSE
.