Sensitive Information Disclosure in Foreman via GraphQL API
CVE-2024-6861

7.5HIGH

Key Information:

Vendor: Red Hat
Vendor: CVE Published:; 6 November 2024

Summary

A vulnerability exists in Foreman that allows attackers to exploit the GraphQL API when the introspection feature is enabled. This flaw can lead to the unauthorized retrieval of sensitive admin authentication keys. The exposure of these keys could enable attackers to compromise the integrity of the entire API, potentially leading to further exploitation of the system. Organizations using Foreman must ensure their GraphQL configurations are secured to prevent this critical information leak.

References

https://access.redhat.com/errata/RHSA-2022:8506

https://access.redhat.com/security/cve/CVE-2024-6861

https://bugzilla.redhat.com/show_bug.cgi?id=2317450

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2024

Collectors

NVD Database