Arbitrary Code Execution The advisory has been revoked - it doesn't affect any version of package foreman_maintain Open this link in a new tab


    Threat Intelligence

    EPSS 0.05% (20th percentile)
Expand this section
NVD
9.1 critical
Expand this section
Red Hat
9.1 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-FOREMANMAINTAIN-3368242
  • published 22 Mar 2023
  • disclosed 21 Mar 2023
  • credit Unknown

How to fix?

There is no fixed version for foreman_maintain.

Amendment

This was deemed not a vulnerability.

Overview

foreman_maintain is a which provides various features that help keep the Foreman/Satellite up and running.

Affected versions of this package are vulnerable to Arbitrary Code Execution by creating a Yaml global parameter under Configure->Global Parameters, which contains a crafted payload. Exploiting this vulnerability is possible by an admin user.

References