Project

General

Profile

Actions
Copy link

Bug #36759

closed

CVE-2022-3874: OS command injection via ct_command and fcct_command

Added by Evgeni Golov over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
High
Assignee:
Evgeni Golov
Category:
Settings
Target version:
3.8.0
Difficulty:
Triaged:
No
Bugzilla link:
2163695
Pull request:
https://github.com/theforeman/foreman/pull/9836, https://github.com/theforeman/foreman/pull/9845
Fixed in Releases:
3.8.0
Found in Releases:
Red Hat JIRA:

Description

the ct_command and fcct_command settings allow authenticated users to execute arbitrary commands on the server. These commands are used to transpile CoreOS and Fedora CoreOS configurations in templates. Changing the command requires admin privileges on the Foreman instance.

Related issues 1 (0 open1 closed)

Related to Installer - Bug #36812: allow setting (fc)ct_locationClosedEvgeni GolovActions
Actions
Copy link
 #1

Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/9836 added
Actions
Copy link
 #2

Updated by Evgeni Golov about 1 year ago

  • Target version set to 3.8.0
Actions
Copy link
 #3

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman/pull/9845 added
Actions
Copy link
 #4

Updated by Evgeni Golov about 1 year ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #5

Updated by The Foreman Bot about 1 year ago

  • Fixed in Releases 3.8.0 added
Actions
Copy link
 #6

Updated by Evgeni Golov about 1 year ago

  • Related to Bug #36812: allow setting (fc)ct_location added
Actions
Copy link

Also available in: Atom PDF