CVE-2022-3287

Name
CVE-2022-3287
Description
When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:fwupd:fwupd:*:*:*:*:*:*:*:* fwupd >= None < 1.8.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
fwupd 3.16-community 1.7.6-r0 Timo Teräs <timo.teras@iki.fi> possibly vulnerable