Bug 2396020 (CVE-2025-10622)

Summary: CVE-2025-10622 foreman: OS command injection via ct_location and fcct_location parameters
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, security-response-team, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-11-01   

Description OSIDB Bzimport 2025-09-17 09:16:08 UTC 
A command injection flaw was found in Red Hat Satellite 6.16.5.2 (Foreman 3.12.0.8-1). Although a
whitelist for CoreOS Transpiler Command and Fedora CoreOS Transpiler Command is implemented, the
whitelist is only enforced on the client-side and is not validated on the server-side. This flaw allows an
authenticated user with edit_settings permissions to modify these parameters to achieve arbitrary
command execution on underlying operating system and bypass safe mode rendering.
Comment 2 errata-xmlrpc 2025-11-04 17:12:31 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.18 for RHEL 9

Via RHSA-2025:19721 https://access.redhat.com/errata/RHSA-2025:19721
Comment 3 errata-xmlrpc 2025-11-05 23:45:41 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2025:19832 https://access.redhat.com/errata/RHSA-2025:19832
Comment 4 errata-xmlrpc 2025-11-06 02:23:45 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2025:19855 https://access.redhat.com/errata/RHSA-2025:19855
Comment 5 errata-xmlrpc 2025-11-06 02:24:59 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2025:19856 https://access.redhat.com/errata/RHSA-2025:19856