Information disclosure in Red Hat Storage Console Node
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-7062 |
| CWE-ID | CWE-284 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Storage Console Node Client/Desktop applications / Software for archiving Red Hat Storage Console Client/Desktop applications / Software for archiving |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU1034
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-7062
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to access potentially sensitive information on the target system.
The weakness is due to supplying of the "rhscon-core" password in plain text as a command line parameter that allows attacker to view the password.
Successful exploitation of the vulnerabilty results in disclosure of important data on the vulnerable system.
Update solution from the vendor's site
https://access.redhat.com/
Red Hat Storage Console Node: 2 x86_64
Red Hat Storage Console: 2 x86_64
CPE2.3- cpe:2.3:a:red_hat:red_hat_storage_console_node:2 x86_64:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:red_hat_storage_console:2 x86_64:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2016:2082
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted archive.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
