CVE-2019-10198

Advisory lineage Upstream: 0 Downstream: 1
Downstream
RHSA-2019:3172
Modified
Published: 31 Jul 2019, 21:44
Last modified:04 Aug 2024, 22:17

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.0 (cve.org)
EPSS Score
1.4% LOW
1% probability -0.03%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

31 Jul 2019, 21:44
Published
Vulnerability first disclosed
04 Aug 2024, 22:17
Last Modified
Vulnerability information updated

Description

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v3.0MEDIUMScore: 6.5CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v2.0MEDIUMScore: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.40% Percentile: 81%

Techniques & Countermeasures

  • CWE-306Missing Authentication for Critical Function

    The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • CWE-592DEPRECATED: Authentication Bypass Issues

    This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

Affected Systems

  • redhatsatellite

    6.6

  • the foreman projectforeman-tasks

    0.15.7

  • theforemanforeman-tasks

    < 0.15.7

References (3)