Sensitive Information Disclosure in Foreman via GraphQL API
CVE-2024-6861

7.5HIGH

Key Information:

Status
Red Hat Satellite 6.12 For Rhel 8
Red Hat Satellite 6
Vendor
CVE Published:
6 November 2024

What is CVE-2024-6861?

A vulnerability exists in Foreman that allows attackers to exploit the GraphQL API when the introspection feature is enabled. This flaw can lead to the unauthorized retrieval of sensitive admin authentication keys. The exposure of these keys could enable attackers to compromise the integrity of the entire API, potentially leading to further exploitation of the system. Organizations using Foreman must ensure their GraphQL configurations are secured to prevent this critical information leak.

References

https://access.redhat.com/errata/RHSA-2022:8506
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-6861
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2317450
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.