CVE-2021-3589Missing Authentication for Critical Function in Foreman Ansible

CWE-306Missing Authentication for Critical Function5 documents5 sources
Severity
8.0HIGHNVD
EPSS
0.2%
top 55.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Theforeman Foreman AnsibleRedhat Satellite
Timeline
PublishedMar 23
Latest updateMar 24

Description

An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages4 packages

RubyGemstheforeman/foreman_ansible< 2.0.0
CVEListV5theforeman/foreman_ansibleAffects foreman_ansible-2.0.0 and above.

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
OSV
Missing Authentication for Critical Function in Foreman Ansible2022-03-24
GHSA
Missing Authentication for Critical Function in Foreman Ansible2022-03-24
CVEList
CVE-2021-3589: An authorization flaw was found in Foreman Ansible2022-03-23

📋Vendor Advisories

1
Red Hat
foreman_ansible: authenticated user can access host through job_template2021-06-08
CVE-2021-3589 — Foreman Ansible vulnerability | cvebase