Bug 2140577 (CVE-2022-3874)

Summary: CVE-2022-3874 foreman: OS command injection via ct_command and fcct_command
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbuckingham, bcourt, egolov, ehelms, jsherril, lzap, mhulan, myarboro, nmoumoul, orabin, pcreech, rchan, vinair, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141267, 2144841, 2144846, 2163694, 2163695, 2241804    
Bug Blocks: 2139519, 2162363    

Description ybuenos 2022-11-07 10:02:17 UTC 
In the Foreman component of Satellite, the ct_command and fcct_command settings allow authenticated users to execute arbitrary commands on the server. These commands are used to transpile CoreOS and Fedora CoreOS configurations in templates. Changing the command requires admin privileges on the Foreman instance.
Comment 3 ybuenos 2023-01-24 09:41:49 UTC 
*** Bug 2162972 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2023-10-19 13:13:02 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
Comment 10 errata-xmlrpc 2023-10-20 18:43:13 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2023:5979 https://access.redhat.com/errata/RHSA-2023:5979
Comment 11 errata-xmlrpc 2023-11-08 14:16:54 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818