PT-2022-13472 · Unknown · Convert2Rhel

Todd Cullum

Published

2022-08-29

Updated

2023-02-12

CVE-2022-0851

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions convert2rhel (affected versions not specified)

Description The issue is related to the use of the --activationkey option with convert2rhel, which passes the activation key to subscription-manager via the command line. This could allow unauthorized users locally on the machine to view the activation key via the process command line, using tools like htop or ps. The impact varies depending on the subscription, but it could enable an attacker to register systems purchased by the victim until discovered, resulting in a form of fraud.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2022-0851

RHSA-2022:6266

RHSA-2022:6268

RHSA-2022:6269

Affected Products

Convert2Rhel

PT-2022-13472 · Unknown · Convert2Rhel

CVE-2022-0851

Weakness Enumeration

Related Identifiers

Affected Products

References · 6