Bug 1969265 (CVE-2021-3589) - CVE-2021-3589 foreman_ansible: authenticated user can access host through job_template
Summary: CVE-2021-3589 foreman_ansible: authenticated user can access host through job...
Status: NEW
Alias: CVE-2021-3589
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1969271
Blocks: 1935692 1969837
TreeView+ depends on / blocked
Reported: 2021-06-08 05:49 UTC by Yadnyawalk Tale
Modified: 2023-07-07 08:31 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Yadnyawalk Tale 2021-06-08 05:49:44 UTC
An attacker with elevated privileges can utilize Ansible functions to carry out actions as the Foreman-proxy user on the system. The prerequisite for this is that the hosts must have already been added to Foreman, and the attacker must have access to one of these hosts. If the attacker already has access to the system, they are deemed trustworthy with a high level of privilege.

Comment 3 Yadnyawalk Tale 2021-06-08 11:11:33 UTC
Looke like foreman_ansible introduced REX and job_templates in foreman_ansible-2.0.0 onward.

Comment 6 Yadnyawalk Tale 2023-02-08 09:34:52 UTC
The complexity of performing this attack is not within the attacker's control and privilege required evaluated is high. 

The administrator of Foreman must grant the attacker administrative-equivalent privileges to create or modify job templates (PR:H). However, even if the attacker has the necessary access, they still need to have at least two host machines deployed and added to Foreman, and have access to the first host to gain access to the second in order to achieve remote code execution on the machine (AC:H).

Note You need to log in before you can comment on or make changes to this bug.