From 0327e5054b764bb9914c819ec43df3a9b8003a07 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 31 Oct 2023 15:11:33 +0100
Subject: [PATCH] Add CVE-2023-4886 to security.md

The fix was already released.

Co-authored-by: Evgeni Golov <evgeni@golov.de>
---
 security.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/security.md b/security.md
index fa176b47c5..901d2ce342 100644
--- a/security.md
+++ b/security.md
@@ -15,6 +15,7 @@ The policy of the project is to treat all newly reported issues as private, and
 
 All security advisories made for Foreman are listed below with their corresponding [CVE identifier](https://cve.mitre.org/).
 
+* [CVE-2023-4886: World readable tomcat server.xml contains passwords](security.html#2023-4886)
 * [CVE-2022-4130: Blind SSRF via Referer header](security.html#2022-4130)
 * [CVE-2022-3874: OS command injection via ct_command and fcct_command](security.html#2022-3874)
 * [CVE-2021-3584: Remote code execution through Sendmail configuration](security.html#2021-3584)
@@ -89,6 +90,15 @@ All security advisories made for Foreman are listed below with their correspondi
 
 ### Disclosure details
 
+#### <a id="2023-4886"></a>CVE-2023-4886: World readable tomcat server.xml contains passwords
+
+The world readable file `/etc/tomcat/server.xml` contains passwords for the keystore and truststore.
+The actual stores are limited by file permissions, but `server.xml` should also be limited.
+
+* Affects Katello
+* Fix released in Foreman 3.8.0
+* Redmine issue [#36760](https://projects.theforeman.org/issues/36760)
+
 #### <a id="2022-4130"></a>CVE-2022-4130: Blind SSRF via Referer header
 
 A blind site-to-site request forgery vulnerability was found in Satellite server.