Main Vulnerability Database Vulnerabilities #VU62654

Insufficiently protected credentials in convert2rhel - CVE-2022-0852

Published: April 27, 2022 / Updated: June 6, 2022

Vulnerability identifier: #VU62654

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-0852

CWE-ID: CWE-522

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
convert2rhel

Software vendor:
OS and Application Modernization Group

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the convert2rhel passes the Red Hat account password to subscription-manager via the command line. A local user with ability to view process list can obtain the Red Hat account password and gain unauthorized access to the victim's Red Hat account.

Remediation

Install update from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=2060129
https://github.com/oamg/convert2rhel/blob/main/convert2rhel/subscription.py#L156
https://access.redhat.com/errata/RHSA-2022:1599

Insufficiently protected credentials in convert2rhel - CVE-2022-0852

Description

Remediation

External links

Please verify you're human