Bug 1940990 (CVE-2021-3457)
Summary: | CVE-2021-3457 smart_proxy_shellhooks: unauthorized users can execute actions that should be reserved for foreman | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Yadnyawalk Tale <ytale> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, btotty, hhudgeon, lzap, mmccune, nmoumoul, pcreech, rchan, rjerrido, security-response-team, sokeeffe |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | smart_proxy_shellhooks 0.9.2 | Doc Type: | --- |
Doc Text: |
An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-30 11:35:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1940908, 1941509 |
Description
Yadnyawalk Tale
2021-03-19 17:30:52 UTC
Acknowledgments: Name: Evgeni Golov (Red Hat) Upstream: Foreman project Upstream patch: https://github.com/theforeman/smart_proxy_shellhooks/commit/35dafbf9db69a54ed501cebaae748ecce5d901df Statement: Red Hat Satellite 6 does not ship the smart_proxy_shellhooks plugin, which is affected by the vulnerability. This flaw affects upstream Foreman only. Mitigation: To mitigate the flaw, disable the smart_proxy_shellhooks plugin from the Server. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3457 |