CVE-2022-0852

Published: Aug 29, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via e.g. htop or ps. The specific impact varies upon the privileges of the Red Hat account in question, but it could affect the integrity, availability, and/or data confidentiality of other systems that are administered by that account. This occurs regardless of how the password is supplied to convert2rhel.

Affected (4)

Products: Convert2rhel Project: Convert2rhel · Redhat: Enterprise Linux

Convert2rhel Project

1 product

1 product

Enterprise Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Convert2rhel Project Convert2rhel	Before 0.26

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0

Related CWEs

Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (10)

https://access.redhat.com/security/cve/CVE-2022-0852

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2060129

Source: secalert@redhat.com

ExploitIssue TrackingThird Party Advisory

https://github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4

Source: secalert@redhat.com

ExploitPatchThird Party Advisory

https://github.com/oamg/convert2rhel/pull/492

Source: secalert@redhat.com

ExploitPatchThird Party Advisory

https://issues.redhat.com/browse/RHELC-432

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/security/cve/CVE-2022-0852

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2060129

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://github.com/oamg/convert2rhel/pull/492

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://issues.redhat.com/browse/RHELC-432

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.