CVE-2022-3874

HIGH 8.0

Os command injection via ct_command and fcct_command

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

0th

A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.

CWE	CWE-78
Vendor	n/a
Product	foreman
Published	Sep 22, 2023
Last Updated	Sep 24, 2024

Stay Ahead of the Next One

Get instant alerts for n/a foreman

Be the first to know when new high vulnerabilities affecting n/a foreman are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

n/a / foreman

All versions affected

Red Hat / Red Hat Satellite 6

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/security/cve/CVE-2022-3874 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2140577

Credits

This issue was discovered by Andrew Danau (Onsec.io) and Evgeni Golov (Red Hat).