CVE-2023-0118 - OpenCVE

An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Satellite Enterprise Linux
Theforeman	Foreman

Configuration 1 [-]

cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:redhat:satellite:*:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:4466	Release Notes Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:5979
https://access.redhat.com/errata/RHSA-2023:5980
https://access.redhat.com/errata/RHSA-2023:6818
https://access.redhat.com/security/cve/CVE-2023-0118	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2159291	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-20T13:39:27.756Z

Updated: 2024-05-03T15:32:29.709Z

Reserved: 2023-01-09T13:21:05.016Z

Link: CVE-2023-0118

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-20T14:15:12.827

Modified: 2024-05-03T16:15:09.320

Link: CVE-2023-0118

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-0118", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-01-09T13:21:05.016Z", "datePublished": "2023-09-20T13:39:27.756Z", "dateUpdated": "2024-05-03T15:32:29.709Z"}, "containers": {"cna": {"title": "Foreman: arbitrary code execution through templates", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system."}], "affected": [{"packageName": "foreman", "collectionURL": "https://github.com/theforeman/foreman", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.11 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "foreman", "defaultStatus": "affected", "versions": [{"version": "0:3.1.1.27-1.el7sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_capsule:6.11::el8", "cpe:/a:redhat:satellite_capsule:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el8", "cpe:/a:redhat:satellite:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el7", "cpe:/a:redhat:satellite:6.11::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.11 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "foreman", "defaultStatus": "affected", "versions": [{"version": "0:3.1.1.27-1.el7sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_capsule:6.11::el8", "cpe:/a:redhat:satellite_capsule:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el8", "cpe:/a:redhat:satellite:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el7", "cpe:/a:redhat:satellite:6.11::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.11 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "foreman", "defaultStatus": "affected", "versions": [{"version": "0:3.1.1.27-1.el8sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_capsule:6.11::el8", "cpe:/a:redhat:satellite_capsule:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el8", "cpe:/a:redhat:satellite:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el7", "cpe:/a:redhat:satellite:6.11::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.11 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "foreman", "defaultStatus": "affected", "versions": [{"version": "0:3.1.1.27-1.el8sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_capsule:6.11::el8", "cpe:/a:redhat:satellite_capsule:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el8", "cpe:/a:redhat:satellite:6.11::el7", "cpe:/a:redhat:satellite_utils:6.11::el7", "cpe:/a:redhat:satellite:6.11::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.12 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rubygem-safemode", "defaultStatus": "affected", "versions": [{"version": "0:1.3.8-1.el8sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite:6.12::el8", "cpe:/a:redhat:satellite_capsule:6.12::el8", "cpe:/a:redhat:satellite_utils:6.12::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.13 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rubygem-safemode", "defaultStatus": "affected", "versions": [{"version": "0:1.3.8-1.el8sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_capsule:6.13::el8", "cpe:/a:redhat:satellite_utils:6.13::el8", "cpe:/a:redhat:satellite_maintenance:6.13::el8", "cpe:/a:redhat:satellite:6.13::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.14 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "foreman", "defaultStatus": "affected", "versions": [{"version": "0:3.7.0.9-1.el8sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_maintenance:6.14::el8", "cpe:/a:redhat:satellite_utils:6.14::el8", "cpe:/a:redhat:satellite:6.14::el8", "cpe:/a:redhat:satellite_capsule:6.14::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.14 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "foreman", "defaultStatus": "affected", "versions": [{"version": "0:3.7.0.9-1.el8sat", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_maintenance:6.14::el8", "cpe:/a:redhat:satellite_utils:6.14::el8", "cpe:/a:redhat:satellite:6.14::el8", "cpe:/a:redhat:satellite_capsule:6.14::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4466", "name": "RHSA-2023:4466", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5979", "name": "RHSA-2023:5979", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5980", "name": "RHSA-2023:5980", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6818", "name": "RHSA-2023:6818", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-0118", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159291", "name": "RHBZ#2159291", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-03-12T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "timeline": [{"lang": "en", "time": "2022-12-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-03-12T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Andrew Danau (Onsec.io) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-03T15:32:29.709Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C66A3AE-183C-49B6-9B8A-53BB90AFBDCF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:satellite:*:*:*:*:*:*:*:*", "matchCriteriaId": "88D8026B-94E6-4B69-AEEB-7A1B26D1153C", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la ejecuci\u00f3n de c\u00f3digo arbitrario en Foreman. Esta falla permite a un usuario administrador omitir el modo seguro en las plantillas y ejecutar c\u00f3digo arbitrario en el sistema operativo subyacente."}], "id": "CVE-2023-0118", "lastModified": "2024-05-03T16:15:09.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-09-20T14:15:12.827", "references": [{"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:4466"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:5979"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:5980"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:6818"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-0118"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159291"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "secalert@redhat.com", "type": "Secondary"}]}