CVE-2024-7700: Foreman: command injection in "host init config" template via "install packages" field on foreman
First published: Mon Aug 12 2024(Updated: )
A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Theforeman Foreman | ||
| All of | ||
| Theforeman Foreman | ||
| Redhat Satellite | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/references
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- vendor/theforeman
- canonical/theforeman foreman
- vendor/redhat
- canonical/redhat satellite
- version/redhat satellite/6.0