2304090 – (CVE-2024-7700) CVE-2024-7700 Foreman: Command Injection in "Host Init Config" Template via "Install Packages" Field on Foreman

Bug 2304090 (CVE-2024-7700) - CVE-2024-7700 Foreman: Command Injection in "Host Init Config" Template via "Install Packages" Field on Foreman

Summary: CVE-2024-7700 Foreman: Command Injection in "Host Init Config" Template via "...

Keywords:
Status:	NEW
Alias:	CVE-2024-7700
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-12 10:57 UTC by Abhishek Raj
Modified:	2024-10-14 06:34 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Abhishek Raj 2024-08-12 10:57:20 UTC

A command injection vulnerability was identified in Foreman, affecting the "Host Init Config" template. The issue arises when commands are injected through the "Install Packages" field on the "Register Host" page. An attacker with elevated privileges on the Foreman server could craft malicious commands, which would be executed when the host is registered. This could lead to unauthorized actions.

Note You need to log in before you can comment on or make changes to this bug.