Bug 2391715 (CVE-2025-9572)
| Summary: | CVE-2025-9572 foreman: Satellite: GraphQL API permission bypass leads to information disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anthomas, bagasse, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, smallamp, tmalecek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-08-29 06:24:17 UTC
This issue has been addressed in the following products: Red Hat Satellite 6.17 for RHEL 9 Via RHSA-2025:21893 https://access.redhat.com/errata/RHSA-2025:21893 This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2025:21894 https://access.redhat.com/errata/RHSA-2025:21894 This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2025:21897 https://access.redhat.com/errata/RHSA-2025:21897 |