convert2rhel is vulnerable to information disclosure. The vulnerability exists when the library passes the red hat account password to the subscription manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line via htop
or ps
access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/converting_from_an_rpm-based_linux_distribution_to_rhel/index
access.redhat.com/errata/RHSA-2022:1599
access.redhat.com/errata/RHSA-2022:1617
access.redhat.com/errata/RHSA-2022:1618
access.redhat.com/security/cve/CVE-2022-0852
access.redhat.com/security/updates/classification/#important
access.redhat.com/support/policy/convert2rhel-support
bugzilla.redhat.com/show_bug.cgi?id=2060129
github.com/oamg/convert2rhel/commit/8d72fb030ed31116fdb256b327d299337b000af4
github.com/oamg/convert2rhel/pull/492
issues.redhat.com/browse/RHELC-432