Project

General

Profile

Actions
Copy link

Bug #36759

closed

CVE-2022-3874: OS command injection via ct_command and fcct_command

Added by Evgeni Golov 10 months ago. Updated 9 months ago.

Status:
Closed
Priority:
High
Assignee:
Evgeni Golov
Category:
Settings
Target version:
3.8.0
Difficulty:
Triaged:
No
Bugzilla link:
2163695
Pull request:
https://github.com/theforeman/foreman/pull/9836, https://github.com/theforeman/foreman/pull/9845
Fixed in Releases:
3.8.0
Found in Releases:
Red Hat JIRA:

Description

the ct_command and fcct_command settings allow authenticated users to execute arbitrary commands on the server. These commands are used to transpile CoreOS and Fedora CoreOS configurations in templates. Changing the command requires admin privileges on the Foreman instance.

Related issues 1 (0 open1 closed)

Related to Installer - Bug #36812: allow setting (fc)ct_locationClosedEvgeni GolovActions
Actions
Copy link
 #1

Updated by The Foreman Bot 10 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/9836 added
Actions
Copy link
 #2

Updated by Evgeni Golov 9 months ago

  • Target version set to 3.8.0
Actions
Copy link
 #3

Updated by The Foreman Bot 9 months ago

  • Pull request https://github.com/theforeman/foreman/pull/9845 added
Actions
Copy link
 #4

Updated by Evgeni Golov 9 months ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #5

Updated by The Foreman Bot 9 months ago

  • Fixed in Releases 3.8.0 added
Actions
Copy link
 #6

Updated by Evgeni Golov 9 months ago

  • Related to Bug #36812: allow setting (fc)ct_location added
Actions
Copy link

Also available in: Atom PDF