CVE-2021-3584

A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0.

Published: Dec 23, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-3584
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
theforeman / foreman	-	2.4.1
theforeman / foreman	2.5.0	2.5.1
theforeman / foreman	3.0.0-rc1	3.0.0-rc1.x
theforeman / foreman	3.0.0-rc2	3.0.0-rc2.x
redhat / satellite	6.0	6.0.x

https://bugzilla.redhat.com/show_bug.cgi?id=1968439
https://github.com/theforeman/foreman/pull/8599
https://projects.theforeman.org/issues/32753

Vulnerability Database

289,599

CVE-2021-3584