#VU18313 Information disclosure in OpenWSMAN - CVE-2019-3816
Published: April 18, 2019
Vulnerability identifier: #VU18313
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-3816
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenWSMAN
OpenWSMAN
Software vendor:
Openwsman
Openwsman
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect default configuration of the application due to the working directory of openwsmand daemon was set to root directory. A remote unauthenticated attacker can use the API to view contents of arbitrary file on the system.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
External links
- http://bugzilla.suse.com/show_bug.cgi?id=1122623
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00065.html
- http://www.securityfocus.com/bid/107368
- http://www.securityfocus.com/bid/107409
- https://access.redhat.com/errata/RHSA-2019:0638
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3816
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2V5HJ355RSKMFQ7GRJAHRZNDVXASF7TA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2HEZ7D7GF3HDF36JLGYXIK5URR66DS4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CXQP7UDPRZIZ4LM7FEJCTC2EDUYVOR2J/