{
  "threat_severity" : "Moderate",
  "public_date" : "2020-09-08T00:00:00Z",
  "bugzilla" : {
    "description" : "gnome-settings-daemon: Red Hat Customer Portal password logged and passed as command line argument when user registers through GNOME control center",
    "id" : "1873093",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1873093"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-522",
  "details" : [ "A flaw was found in the GNOME Control Center in Red Hat Enterprise Linux 8 versions prior to 8.2, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface. This flaw allows a local attacker to discover the Red Hat Customer Portal password. The highest threat from this vulnerability is to confidentiality.", "A flaw was found in the GNOME Control Center, where it improperly uses Red Hat Customer Portal credentials when a user registers a system through the GNOME Settings User Interface. This flaw allows a local attacker to discover the Red Hat Customer Portal password. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "This issue did not affect the versions of gnome-settings-daemon as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the subscription-manager plugin.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "gnome-settings-daemon-0:3.32.0-11.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2021-01-26T00:00:00Z",
    "advisory" : "RHSA-2021:0266",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "gnome-settings-daemon-0:3.32.0-9.el8_2.1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "gnome-settings-daemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "gnome-settings-daemon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14391\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14391" ],
  "name" : "CVE-2020-14391",
  "mitigation" : {
    "value" : "Use `subscription-manager` directly from the terminal and do not use the `--password` flag.",
    "lang" : "en:us"
  },
  "csaw" : false
}