Bug 1105369 - (CVE-2014-0007) CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20140618,repor...
: Security
Depends On: 1105413 1109016 1111008
Blocks: 1105370
  Show dependency treegraph
 
Reported: 2014-06-05 21:04 EDT by Kurt Seifried
Modified: 2016-04-26 15:17 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-08 19:06:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2014-06-05 21:04:02 EDT
Lukas Zap of Red Hat reports:

The smart proxy contains a check in tftp.rb to ensure that a specific web URL 
exists and is valid, this check is vulnerable to a command injection 
vulnerability.
Comment 3 Garth Mollett 2014-06-18 22:13:05 EDT
Public via: http://projects.theforeman.org/issues/6086
Comment 4 Murray McAllister 2014-06-18 23:52:10 EDT
Acknowledgements:

This issue was discovered by Lukas Zapletal of Red Hat.
Comment 6 errata-xmlrpc 2014-06-19 09:18:25 EDT
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6
  OpenStack 3 for RHEL 6

Via RHSA-2014:0770 https://rhn.redhat.com/errata/RHSA-2014-0770.html

Note You need to log in before you can comment on or make changes to this bug.