CVE-2022-3287
Summary
| CVE | CVE-2022-3287 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-28 20:15:00 UTC |
| Updated | 2023-11-07 03:51:00 UTC |
| Description | When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. |
Risk And Classification
Problem Types: CWE-552
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Never save the Redfish passwords to a file readable by users · fwupd/fwupd@ea67685 · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160616 Oracle Enterprise Linux Security Update for fwupd (ELSA-2023-2487)
- 161135 Oracle Enterprise Linux Security Update for fwupd (ELSA-2023-7189)
- 183664 Debian Security Update for fwupd (CVE-2022-3287)
- 241430 Red Hat Update for fwupd (RHSA-2023:2487)
- 242426 Red Hat Update for fwupd (RHSA-2023:7189)
- 243022 Red Hat Update for fwupd (RHSA-2024:1106)
- 243092 Red Hat Update for fwupd (RHSA-2024:1403)
- 941051 AlmaLinux Security Update for fwupd (ALSA-2023:2487)
- 941461 AlmaLinux Security Update for fwupd (ALSA-2023:7189)
- 961082 Rocky Linux Security Update for fwupd (RLSA-2023:7189)