A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.
History

Mon, 16 Sep 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Theforeman
Theforeman foreman
CPEs cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:-:*:*:*:*:*:*:*
Vendors & Products Theforeman
Theforeman foreman

Wed, 14 Aug 2024 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 12 Aug 2024 18:00:00 +0000

Type Values Removed Values Added
Description A command injection flaw was found in the "Host Init Config" template in the Foreman application, via the "Install Packages" field on the "Register Host" page. This issue may allow an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script. A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.

Mon, 12 Aug 2024 17:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A command injection flaw was found in the "Host Init Config" template in the Foreman application, via the "Install Packages" field on the "Register Host" page. This issue may allow an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.
Title Foreman: Command Injection in "Host Init Config" Template via "Install Packages" Field on Foreman Foreman: command injection in "host init config" template via "install packages" field on foreman
First Time appeared Redhat
Redhat satellite
CPEs cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat satellite
References

Mon, 12 Aug 2024 13:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title Foreman: Command Injection in "Host Init Config" Template via "Install Packages" Field on Foreman
Weaknesses CWE-77
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-08-12T16:48:54.120Z

Updated: 2024-09-27T16:27:16.155Z

Reserved: 2024-08-12T10:57:20.394Z

Link: CVE-2024-7700

cve-icon Vulnrichment

Updated: 2024-08-14T13:23:30.640Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-12T17:15:18.607

Modified: 2024-09-16T14:20:21.087

Link: CVE-2024-7700

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-08-12T10:00:00Z

Links: CVE-2024-7700 - Bugzilla