Lucene search

Redhat.comRH:CVE-2024-7700

HistoryAug 12, 2024 - 11:16 a.m.

CVE-2024-7700

2024-08-1211:16:55

redhat.com

access.redhat.com

command injection

host init config

foreman application

install packages

unauthorized execution.

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

Percentile

9.5%

JSON

A command injection flaw was found in the “Host Init Config” template in the Foreman application via the “Install Packages” field on the “Register Host” page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.

References

bugzilla.redhat.com/show_bug.cgi?id=2304090

nvd.nist.gov/vuln/detail/CVE-2024-7700

www.cve.org/CVERecord?id=CVE-2024-7700

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

Percentile

9.5%

JSON

Related for RH:CVE-2024-7700