It was reported that TFTP API module in Smart Proxy is vulnerable to remote code execution via "variant" parameter, which is used to instantiate an implementation class using eval() on the user supplemented input.
Service is usually restricted in a default Foreman installation by requiring client SSL certificates and enforcing access to a configured list of trusted hosts, but may also be configured openly. The TFTP module is enabled in default installation, but may be disabled. Affected versions are 0.2 and higher.
Name: the Foreman project
Upstream: Lukas Zapletal (Red Hat)
This issue has been addressed in: