{
  "threat_severity" : "Moderate",
  "public_date" : "2023-10-03T14:00:00Z",
  "bugzilla" : {
    "description" : "foreman: World readable file containing secrets",
    "id" : "2230135",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2230135"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "A sensitive information exposure vulnerability was found in foreman. Contents of tomcat's server.xml file, which contain passwords to candlepin's keystore and truststore, were found to be world readable.", "A sensitive information exposure vulnerability was found in foreman. Contents of tomcat's server.xml file, which contain passwords to candlepin's keystore and truststore, were found to be world readable." ],
  "statement" : "This flaw has a limited impact on security, as candlepin's individual stores' privileges are limited to root and tomcat only. Therefore, the impact is limited to highly privileged users.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.13 for RHEL 8",
    "release_date" : "2024-02-29T00:00:00Z",
    "advisory" : "RHSA-2024:1061",
    "cpe" : "cpe:/a:redhat:satellite_utils:6.13::el8",
    "package" : "foreman-0:3.5.1.24-1.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.14 for RHEL 8",
    "release_date" : "2023-12-14T00:00:00Z",
    "advisory" : "RHSA-2023:7851",
    "cpe" : "cpe:/a:redhat:satellite_utils:6.14::el8",
    "package" : "foreman-0:3.7.0.10-1.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.14 for RHEL 8",
    "release_date" : "2023-12-14T00:00:00Z",
    "advisory" : "RHSA-2023:7851",
    "cpe" : "cpe:/a:redhat:satellite_utils:6.14::el8",
    "package" : "foreman-installer-1:3.7.0.5-1.el8sat"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-4886\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4886" ],
  "name" : "CVE-2023-4886",
  "csaw" : false
}