CVE-2013-4386 — SQL Injection in Foreman

CWE-89 — SQL Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 33.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman Redhat Openstack

Timeline

PublishedNov 20

Latest updateMay 14

Description

Multiple SQL injection vulnerabilities in app/models/concerns/host_common.rb in Foreman before 1.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) fqdn or (2) hostgroup parameter.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDtheforeman/foreman1.2.2+2

▶NVDredhat/openstack3.0

Patches

Patch: projects.theforeman.org ↗Patch: projects.theforeman.org ↗

🔴Vulnerability Details

GHSA

GHSA-28hw-8f4m-6fxw: Multiple SQL injection vulnerabilities in app/models/concerns/host_common↗2022-05-14

▶

CVEList

CVE-2013-4386: Multiple SQL injection vulnerabilities in app/models/concerns/host_common↗2013-11-19

▶

📋Vendor Advisories

Red Hat

Foreman: host and host group parameter SQL injection↗2013-10-07

▶

💬Community

Bugzilla

CVE-2013-4386 Foreman: host and host group parameter SQL injection↗2013-09-27

▶