CVE-2018-14643

Impact:
Critical
Public Date:
2018-09-20
CWE:
CWE-592
Bugzilla:
1629063: CVE-2018-14643 smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.

Find out more about CVE-2018-14643 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 9.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite 6.3 (rubygem-smart_proxy_dynflow) RHSA-2018:2733 2018-09-20
Red Hat Satellite Capsule 6.3 (rubygem-smart_proxy_dynflow) RHSA-2018:2733 2018-09-20

Affected Packages State

Platform Package State
Red Hat Satellite 6 tfm-rubygem-smart_proxy_dynflow_core Not affected
Red Hat Satellite 6 rubygem-smart_proxy_dynflow Affected

Acknowledgements

This issue was discovered by Ivan Necas (Red Hat).

Mitigation

Disable Smart Proxy Dynflow by setting the :enabled: option to false in the /etc/foreman-proxy/settings.d/dynflow.yml file.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.