CVE-2020-10710 - Vulnerability Details

A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges, such as root, to retrieve the Candlepin plaintext password.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00113.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Satellite Satellite Capsule
Theforeman	Foreman

Configuration 1 [-]

cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Satellite 6.7 for RHEL 7
ansiblerole-satellite-receptor-installer-0:0.6.6.1-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
foreman-0:1.24.1.25-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
foreman-installer-1:1.24.1.22-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
pulp-0:2.21.0.2-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
python-receptor-satellite-0:1.0.1-2.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
satellite-0:6.7.3-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-foreman_ansible-0:4.0.3.7-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-foreman_remote_execution-0:2.0.10.2-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-foreman-tasks-0:0.17.5.7-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-katello-0:3.14.0.27-1.el7sat	cpe:/a:redhat:satellite:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
ansiblerole-satellite-receptor-installer-0:0.6.6.1-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
foreman-0:1.24.1.25-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
foreman-installer-1:1.24.1.22-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
pulp-0:2.21.0.2-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
python-receptor-satellite-0:1.0.1-2.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
satellite-0:6.7.3-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-foreman_ansible-0:4.0.3.7-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-foreman_remote_execution-0:2.0.10.2-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-foreman-tasks-0:0.17.5.7-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z
tfm-rubygem-katello-0:3.14.0.27-1.el7sat	cpe:/a:redhat:satellite_capsule:6.7::el7	RHBA-2020:3614	2020-09-02T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-3140	A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges, such as root, to retrieve the Candlepin plaintext password.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1816747
https://nvd.nist.gov/vuln/detail/CVE-2020-10710
https://www.cve.org/CVERecord?id=CVE-2020-10710

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-08-16T00:00:00

Updated: 2024-08-04T11:06:11.148Z

Reserved: 2020-03-20T00:00:00

Link: CVE-2020-10710

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-16T21:15:09.300

Modified: 2024-11-21T04:55:54.067

Link: CVE-2020-10710

Redhat

Severity : Moderate

Publid Date: 2021-12-10T05:27:00Z

Links: CVE-2020-10710 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object