Bug 1940990 (CVE-2021-3457) - CVE-2021-3457 smart_proxy_shellhooks: unauthorized users can execute actions that should be reserved for foreman
Summary: CVE-2021-3457 smart_proxy_shellhooks: unauthorized users can execute actions ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1940908 1941509
TreeView+ depends on / blocked
 
Reported: 2021-03-19 17:30 UTC by Yadnyawalk Tale
Modified: 2021-12-14 18:47 UTC (History)
13 users (show)

Fixed In Version: smart_proxy_shellhooks 0.9.2
Clone Of:
Environment:
Last Closed: 2021-03-30 11:35:09 UTC
Embargoed:

Attachments (Terms of Use)

Description Yadnyawalk Tale 2021-03-19 17:30:52 UTC 
On Foreman, Shellhooks plugin for smart-proxy introduce a flaw which allows any client to perform actions of Foreman Server.
Comment 1 Yadnyawalk Tale 2021-03-19 17:30:57 UTC 
Acknowledgments:

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project
Comment 5 Yadnyawalk Tale 2021-03-19 17:36:58 UTC 
Upstream patch:
https://github.com/theforeman/smart_proxy_shellhooks/commit/35dafbf9db69a54ed501cebaae748ecce5d901df
Comment 6 RaTasha Tillery-Smith 2021-03-22 17:48:03 UTC 
Statement:

Red Hat Satellite 6 does not ship the smart_proxy_shellhooks plugin, which is affected by the vulnerability. This flaw affects upstream Foreman only.
Comment 7 RaTasha Tillery-Smith 2021-03-22 17:48:04 UTC 
Mitigation:

To mitigate the flaw, disable the smart_proxy_shellhooks plugin from the Server.
Comment 8 Product Security DevOps Team 2021-03-30 11:35:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3457
Note You need to log in before you can comment on or make changes to this bug.