smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
Published: September 14, 2018
SECURITY IDENTIFIERS
- CVE: CVE-2018-14643 (NVD)
- GHSA: GHSA-gx5g-xcxj-cx2w
- Vendor Advisory: https://github.com/theforeman/smart_proxy_dynflow/pull/54
GEM
SEVERITY
PATCHED VERSIONS
~> 0.1.11
>= 0.2.1
DESCRIPTION
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.