Lucene search

[email protected]CVE-2024-3716

HistoryJun 05, 2024 - 3:15 p.m.

CVE-2024-3716

2024-06-0515:15:12

CWE-200

[email protected]

web.nvd.nist.gov

cve-2024-3716

foreman-installer

puppet-candlepin

password leak

process list

attacker

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.9%

JSON

A flaw was found in foreman-installer when puppet-candlepin is invoked cpdb with the --password parameter. This issue leaks the password in the process list and allows an attacker to take advantage and obtain the password.

Affected configurations

NVD

Node

redhatsatelliteMatch6.0

CPENameOperatorVersion
redhat:satelliteredhat satelliteeq6.0

CPE	Name	Operator	Version
redhat:satellite	redhat satellite	eq	6.0

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Satellite 6",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "foreman-installer",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:satellite:6"
    ]
  }
]

References

access.redhat.com/security/cve/CVE-2024-3716

bugzilla.redhat.com/show_bug.cgi?id=2274755

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.9%

JSON

Related for CVE-2024-3716

vulnrichment1 cvelist1 redhatcve1 nvd1