CVE-2019-10159

cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://access.redhat.com/errata/RHSA-2019:2466	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159	Issue Tracking Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2466	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:cfme-gemset::::::::
	cpe:2.3:a:redhat:cfme-gemset::::::::

Configuration 2 (hide)

cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*

History

21 Nov 2024, 04:18

Type	Values Removed	Values Added
References	~~() https://access.redhat.com/errata/RHSA-2019:2466 - Third Party Advisory~~	() https://access.redhat.com/errata/RHSA-2019:2466 - Third Party Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159 - Issue Tracking, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159 - Issue Tracking, Third Party Advisory

Information

Published : 2019-06-14 14:29

Updated : 2024-11-21 04:18

NVD link : CVE-2019-10159

Mitre link : CVE-2019-10159

CVE.ORG link : CVE-2019-10159

JSON object : View

Products Affected

redhat

cloudforms
cfme-gemset

CWE

CWE-285

Improper Authorization

NVD-CWE-Other

{"id": "CVE-2019-10159", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2019-06-14T14:29:00.407", "references": [{"url": "https://access.redhat.com/errata/RHSA-2019:2466", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2019:2466", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10159", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-285"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged user can access all VM migration logs available."}, {"lang": "es", "value": "cfme-gemset versi\u00f3n 5.10.4.3 y anteriores, versi\u00f3n 5.9.9.3 y anteriores son vulnerables a un filtrado de datos, debido a una autorizaci\u00f3n inapropiada en el controlador del registro de migraci\u00f3n. Un atacante con acceso a un usuario sin privilegios puede ingresar a todos los registros de migraci\u00f3n VM disponibles."}], "lastModified": "2024-11-21T04:18:32.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cfme-gemset:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7FD6A58-0D10-4A4C-83DD-0BC2F0234E7B", "versionEndIncluding": "5.9.9.3", "versionStartIncluding": "5.9.0.22"}, {"criteria": "cpe:2.3:a:redhat:cfme-gemset:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65E764BE-FAC3-444E-B187-2D798BEF4DA1", "versionEndIncluding": "5.10.4.3", "versionStartIncluding": "5.10.0.33"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04AC556D-D511-4C4C-B9FB-A089BB2FEFD5"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}