Main Vulnerability Database SB2017121515

SB2017121515 - Information disclosure in Foreman

Published: December 15, 2017

Security Bulletin ID SB2017121515

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-1097)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper security restrictions set on the API to change the power state on oVirt compute resources. A remote attacker who has limited permission for powering oVirt and RHV hosts on and off can gain access to the username and password used to connect to computing resources.

Remediation

Install update from vendor's website.

References

http://projects.theforeman.org/rb/release/332