Foreman@* Security Vulnerabilities and Issues — Foreman@* CVE List

Lucene search

TheforemanForeman*

11 matches found

CVE•added 2022/08/26 4:15 p.m.•1545 views

CVE-2021-20260

A flaw was found in the Foreman project. The Datacenter plugin exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

7.8CVSS7.4AI score0.001EPSS

CVE•added 2021/06/07 9:15 p.m.•77 views

CVE-2021-20259

A flaw was found in the Foreman project. The Proxmox compute resource exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Versions befo...

7.8CVSS7.3AI score0.00038EPSS

CVE•added 2019/08/01 2:15 p.m.•67 views

CVE-2014-8183

It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations.

7.4CVSS7.3AI score0.00153EPSS

CVE•added 2014/06/20 2:55 p.m.•64 views

CVE-2014-0007

The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.

7.5CVSS7.8AI score0.05967EPSS

Web

CVE•added 2013/11/20 2:12 p.m.•59 views

CVE-2013-4386

Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter.

7.5CVSS8.8AI score0.00354EPSS

CVE•added 2015/03/09 2:59 p.m.•59 views

CVE-2014-3691

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

7.5CVSS7.6AI score0.00351EPSS

CVE•added 2018/12/07 7:29 p.m.•58 views

CVE-2018-16861

A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possibly leading to malicious code execution and extrac...

7.6CVSS5AI score0.00388EPSS

CVE•added 2013/09/16 7:14 p.m.•55 views

CVE-2013-4182

app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request.

7.5CVSS6.9AI score0.00712EPSS

CVE•added 2014/05/08 2:29 p.m.•41 views

CVE-2013-0210

The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands.

7.5CVSS7.8AI score0.00812EPSS

CVE•added 2014/05/08 2:29 p.m.•38 views

CVE-2013-0171

Foreman before 1.1 allows remote attackers to execute arbitrary code via a crafted YAML object to the (1) fact or (2) report import API.

7.5CVSS7.9AI score0.02006EPSS

CVE•added 2014/04/04 2:55 p.m.•32 views

CVE-2012-5648

Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) app/models/hostext/search.rb or (2) app/models/puppetclass.rb, related to the search mechanism.

7.5CVSS8.8AI score0.00605EPSS