CVE-2018-14643 – smart_proxy_dynflow

Package

Manager: gem
Name: smart_proxy_dynflow
Vulnerable Version: =0.2.0 || >=0.2.0 <0.2.1 || >=0 <0.1.11

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.08948 pctl0.92264

Details

smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.

Metadata

Created: 2018-10-08T23:18:13Z
Modified: 2023-08-28T13:40:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx5g-xcxj-cx2w/GHSA-gx5g-xcxj-cx2w.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-gx5g-xcxj-cx2w
Finding: F039
Auto approve: 1