CVE-2020-10716 – rubygem-foreman_ansible: "User input" entry from Job Invocation may contain sensitive data
https://notcve.org/view.php?id=CVE-2020-10716
A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4. Se encontró un fallo en Job Invocation de Red Hat Satellite, donde la entrada "User Input" no estaba restringida apropiadamente a la visualización. Este fallo permite a un usuario de Satellite malicioso escanear por medio del Job Invocation, con la capacidad de buscar contraseñas y otros datos confidenciales. • https://bugzilla.redhat.com/show_bug.cgi?id=1814998 https://bugzilla.redhat.com/show_bug.cgi?id=1827300 https://access.redhat.com/security/cve/CVE-2020-10716 • CWE-285: Improper Authorization •
CVE-2021-3494 – foreman: possible man-in-the-middle in smart_proxy realm_freeipa
https://notcve.org/view.php?id=CVE-2021-3494
A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0. Un proxy inteligente que proporciona una API restful a varios subsistemas del Foreman está afectado por un fallo que puede causar un ataque de tipo Man-in-the-Middle. • https://bugzilla.redhat.com/show_bug.cgi?id=1948005 https://access.redhat.com/security/cve/CVE-2021-3494 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2021-3413 – Satellite: Azure compute resource secret_key leak to authenticated users
https://notcve.org/view.php?id=CVE-2021-3413
A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0. A credential leak was identified which will expose Azure Resource Manager's secret key through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en Red Hat Satellite en tfm-rubygem-foreman_azure_rm en versiones anteriores a 2.2.0. Se identificó una filtración de credenciales que expondrá la clave secreta de Azure Resource Manager mediante la salida JSON de la API. • https://bugzilla.redhat.com/show_bug.cgi?id=1930352 https://access.redhat.com/security/cve/CVE-2021-3413 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-0091
https://notcve.org/view.php?id=CVE-2014-0091
Foreman has improper input validation which could lead to partial Denial of Service Foreman presenta una comprobación de entrada inapropiada lo que podría conllevar a una Denegación de Servicio parcial. • https://access.redhat.com/security/cve/cve-2014-0091 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0091 https://security-tracker.debian.org/tracker/CVE-2014-0091 • CWE-20: Improper Input Validation •
CVE-2019-10198 – foreman: authorization bypasses in foreman-tasks leading to information disclosure
https://notcve.org/view.php?id=CVE-2019-10198
An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task. Se descubrió una vulnerabilidad de identificación de bypass en foreman-tasks anterior a 0.15.7. anteriormente las tareas de confirmación fueron buscadas a través de find_resoruce, la cual realizó verificaciones de autorización. Después de cambiar a foreman, un usuario no identificado poder visualizar los detalles de una tarea a través de la web UI o API, si pueden descubrir o adivinar la tarea. • https://access.redhat.com/errata/RHSA-2019:3172 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10198 https://projects.theforeman.org/issues/27275 https://access.redhat.com/security/cve/CVE-2019-10198 https://bugzilla.redhat.com/show_bug.cgi?id=1729130 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-592: DEPRECATED: Authentication Bypass Issues •