CVE-2024-7012

216.73.216.10

· Published 04/09/2024 14:15 · Modified 19/09/2024 06:15

Labels: CVE-2024-7012 2024-09-04 CVE-2024-7012 CWE-287 [email protected]

Essential information

Published: 04/09/2024 14:15
Modified: 19/09/2024 06:15
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access.

NVD status

Status: Modified — CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
redhat / satellite	`cpe:2.3:a:redhat:satellite:6.13:::::::*`
redhat / satellite	`cpe:2.3:a:redhat:satellite:6.14:::::::*`
redhat / satellite	`cpe:2.3:a:redhat:satellite:6.15:::::::*`