Arbitrary code execution through templates
CVE-2023-0118

9.1CRITICAL

Key Information:

Vendor
Red Hat
Status
foreman
Red Hat Satellite 6.13 for RHEL 8
Vendor
CVE Published:
20 September 2023

Summary

An arbitrary code execution vulnerability has been identified in Foreman, allowing an admin user to bypass safe mode in templates. This potentially malicious action enables the execution of arbitrary code on the underlying operating system, creating severe risks for system integrity and security. It is crucial for administrators to address this issue promptly to safeguard their environments.

References

https://access.redhat.com/errata/RHSA-2023:4466
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-0118
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2159291
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Andrew Danau (Onsec.io) for reporting this issue.
.