Bug #14140

Arbitrary Ruby code execution via Discovery setting

Added by Lukas Zapletal about 1 year ago. Updated about 1 year ago.

Status:Resolved
Priority:Normal
Assigned To:Alon Goldboim
Category:Image
Target version:Plugin 5.0.2
Difficulty:trivial Pull request:https://github.com/theforeman/foreman_discovery/pull/260
Bugzilla link:
Story points-
Velocity based estimate-

Description

We have couple of evals during review of new Discovery Show page:

https://github.com/lzap/foreman_discovery/blob/fact-clear-14100/app/controllers/discovered_hosts_controller.rb#L188-L193

You can run arbitrary Ruby code by entering it on the About - Settings - Discovery and then visiting a discovered host detail page where it gets rendered.

Associated revisions

Revision 7b8ac717
Added by Alon Goldboim about 1 year ago

Fixes #14099, #14140 - removed the use of eval, typos

History

#1 Updated by Lukas Zapletal about 1 year ago

  • Description updated (diff)

#2 Updated by Lukas Zapletal about 1 year ago

  • Status changed from New to Ready For Testing
  • Assigned To changed from Lukas Zapletal to Alon Goldboim
  • Pull request https://github.com/theforeman/foreman_discovery/pull/260 added

#3 Updated by Dominic Cleal about 1 year ago

  • Private changed from Yes to No

Marking as public as it's been referenced in the associated pull request.

Lukas has also reported it to foreman-security and since this only affects the version of Discovery that's used with a release candidate version of Foreman, no CVE will be assigned as it's generally pre-release. The issue should be resolved in time for 1.11.0's release and it should be documented on http://theforeman.org/security.html.

#4 Updated by Lukas Zapletal about 1 year ago

  • Status changed from Ready For Testing to Resolved

Merged into develop and 5.0 series, bugfix release by EOBW.

Also available in: Atom PDF