PT-2021-21064 · Foreman+2 · Foreman+2
Lukas Zapletal
·
Published
2021-12-06
·
Updated
2024-07-27
·
CVE-2021-3584
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
Foreman versions prior to 2.4.1
Foreman versions prior to 2.5.1
Foreman versions prior to 3.0.0
Description:
A server-side remote code execution issue was found in the Foreman project. An authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this issue is to confidentiality, integrity, and availability of the system.
Recommendations:
For versions prior to 2.4.1, update to version 2.4.1 or later.
For versions prior to 2.5.1, update to version 2.5.1 or later.
For versions prior to 3.0.0, update to version 3.0.0 or later.
As a temporary workaround, consider restricting access to Sendmail configuration options to minimize the risk of exploitation.
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Foreman
Rocky Linux