{"api_version":"1","generated_at":"2026-04-22T23:21:47+00:00","cve":"CVE-2019-3893","urls":{"html":"https://cve.report/CVE-2019-3893","api":"https://cve.report/api/cve/CVE-2019-3893.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-3893","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-3893"},"summary":{"title":"CVE-2019-3893","description":"In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \"delete_compute_resource\" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2019-04-09 16:29:00","updated_at":"2022-11-30 22:00:00"},"problem_types":["CWE-732"],"metrics":[],"references":[{"url":"https://github.com/theforeman/foreman/pull/6621","name":"https://github.com/theforeman/foreman/pull/6621","refsource":"MISC","tags":["Third Party Advisory"],"title":"Fixes #26450 - add destroy rabl for compute resource by shiramax · Pull Request #6621 · theforeman/foreman · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://projects.theforeman.org/issues/26450","name":"https://projects.theforeman.org/issues/26450","refsource":"MISC","tags":["Vendor Advisory"],"title":"Bug #26450: CVE-2019-3893: Compute resource delete via api returns password in plaintext - Foreman","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/107846","name":"107846","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Foreman CVE-2019-3893 Information Disclosure Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"1696400 – (CVE-2019-3893) CVE-2019-3893 foreman: Recover of plaintext password or token for the compute resources","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2019/04/14/2","name":"[oss-security] 20190414 CVE-2019-3893: Foreman: Compute resource credentials exposed during deletion on API","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - CVE-2019-3893: Foreman: Compute resource credentials exposed during\n deletion on API","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-3893","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-3893","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"3893","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"satellite","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"3893","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"satellite","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"3893","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"theforeman","cpe5":"foreman","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"3893","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"theforeman","cpe5":"foreman","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-3893","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"The Foreman Project","product":{"product_data":[{"product_name":"foreman","version":{"version_data":[{"version_value":"1.20.3"},{"version_value":"1.21.1"},{"version_value":"1.22.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-732"}]}]},"references":{"reference_data":[{"refsource":"BID","name":"107846","url":"http://www.securityfocus.com/bid/107846"},{"refsource":"MLIST","name":"[oss-security] 20190414 CVE-2019-3893: Foreman: Compute resource credentials exposed during deletion on API","url":"http://www.openwall.com/lists/oss-security/2019/04/14/2"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893","refsource":"CONFIRM"},{"url":"https://projects.theforeman.org/issues/26450","refsource":"MISC","name":"https://projects.theforeman.org/issues/26450"},{"url":"https://github.com/theforeman/foreman/pull/6621","refsource":"MISC","name":"https://github.com/theforeman/foreman/pull/6621"}]},"description":{"description_data":[{"lang":"eng","value":"In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \"delete_compute_resource\" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable."}]},"impact":{"cvss":[[{"vectorString":"4.9/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","version":"3.0"}]]}},"nvd":{"publishedDate":"2019-04-09 16:29:00","lastModifiedDate":"2022-11-30 22:00:00","problem_types":["CWE-732"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","versionStartIncluding":"1.21.0","versionEndExcluding":"1.21.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"3893","Ordinal":"141502","Title":"CVE-2019-3893","CVE":"CVE-2019-3893","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"3893","Ordinal":"1","NoteData":"In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the \"delete_compute_resource\" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"3893","Ordinal":"2","NoteData":"2019-04-09","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"3893","Ordinal":"3","NoteData":"2020-12-04","Type":"Other","Title":"Modified"}]}}}