Main Vulnerability Database Vulnerabilities #VU11827

Information disclosure in Foreman - CVE-2018-1097

Published: April 12, 2018 / Updated: April 13, 2018

Vulnerability identifier: #VU11827

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-1097

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Foreman

Affected software:
Foreman

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper security restrictions set on the API to change the power state on oVirt compute resources. A remote attacker who has limited permission for powering oVirt and RHV hosts on and off can gain access to the username and password used to connect to computing resources.

How to mitigate CVE-2018-1097

Update to version 1.16.1.

Sources

http://projects.theforeman.org/rb/release/332

Information disclosure in Foreman - CVE-2018-1097

Detailed vulnerability description

How to mitigate CVE-2018-1097

Sources

Please verify you're human