Vulnerability Details : CVE-2022-0851
Potential exploit
There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.
Vulnerability category: Information leak
Products affected by CVE-2022-0851
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:convert2rhel_project:convert2rhel:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-0851
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-0851
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2022-0851
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: secalert@redhat.com (Primary)
References for CVE-2022-0851
-
https://bugzilla.redhat.com/show_bug.cgi?id=2060217
2060217 – (CVE-2022-0851) CVE-2022-0851 convert2rhel: Activation key passed via command line by codeExploit;Issue Tracking;Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2022-0851
CVE-2022-0851- Red Hat Customer PortalThird Party Advisory
Jump to