Information disclosure in OpenWSMAN - CVE-2019-3816
Published: April 18, 2019
Vulnerability identifier: #VU18313
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-3816
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Openwsman
Affected software:
OpenWSMAN
OpenWSMAN
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect default configuration of the application due to the working directory of openwsmand daemon was set to root directory. A remote unauthenticated attacker can use the API to view contents of arbitrary file on the system.
How to mitigate CVE-2019-3816
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Sources
- http://bugzilla.suse.com/show_bug.cgi?id=1122623
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00065.html
- http://www.securityfocus.com/bid/107368
- http://www.securityfocus.com/bid/107409
- https://access.redhat.com/errata/RHSA-2019:0638
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3816
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2V5HJ355RSKMFQ7GRJAHRZNDVXASF7TA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2HEZ7D7GF3HDF36JLGYXIK5URR66DS4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CXQP7UDPRZIZ4LM7FEJCTC2EDUYVOR2J/