Arbitrary code execution through yaml global parameters
CVE-2023-0462

8HIGH

Key Information:

Vendor: Red Hat
Status: Foreman; Red Hat Satellite 6
Vendor: CVE Published:; 20 September 2023

Summary

An arbitrary code execution vulnerability exists in Foreman, potentially allowing an admin user to execute unauthorized commands on the operating system. This vulnerability can be exploited by manipulating global parameters with specially crafted YAML payloads, posing a significant risk to system integrity. Administrators are advised to apply the necessary security patches to mitigate this risk effectively.

References

https://access.redhat.com/security/cve/CVE-2023-0462

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2162970

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Jan 24, 2023

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Andrew Danau (Onsec.io) for reporting this issue.