{
  "threat_severity" : "Moderate",
  "public_date" : "2021-06-16T14:00:00Z",
  "bugzilla" : {
    "description" : "foreman: Authenticate remote code execution through Sendmail configuration",
    "id" : "1968439",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1968439"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0.", "A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system." ],
  "acknowledgement" : "Upstream acknowledges Jakub Heba (AFINE) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.11 for RHEL 7",
    "release_date" : "2022-07-05T00:00:00Z",
    "advisory" : "RHSA-2022:5498",
    "cpe" : "cpe:/a:redhat:satellite:6.11::el7",
    "package" : "foreman-0:3.1.1.21-2.el7sat",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Satellite 6.11 for RHEL 7",
    "release_date" : "2022-07-05T00:00:00Z",
    "advisory" : "RHSA-2022:5498",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.11::el7",
    "package" : "foreman-0:3.1.1.21-2.el7sat",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Satellite 6.11 for RHEL 7",
    "release_date" : "2022-07-05T00:00:00Z",
    "advisory" : "RHSA-2022:5498",
    "cpe" : "cpe:/a:redhat:satellite_utils:6.11::el7",
    "package" : "foreman-0:3.1.1.21-2.el7sat",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Satellite 6.11 for RHEL 8",
    "release_date" : "2022-07-05T00:00:00Z",
    "advisory" : "RHSA-2022:5498",
    "cpe" : "cpe:/a:redhat:satellite:6.11::el8",
    "package" : "foreman-0:3.1.1.21-2.el8sat",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Satellite 6.11 for RHEL 8",
    "release_date" : "2022-07-05T00:00:00Z",
    "advisory" : "RHSA-2022:5498",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.11::el8",
    "package" : "foreman-0:3.1.1.21-2.el8sat",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Satellite 6.11 for RHEL 8",
    "release_date" : "2022-07-05T00:00:00Z",
    "advisory" : "RHSA-2022:5498",
    "cpe" : "cpe:/a:redhat:satellite_utils:6.11::el8",
    "package" : "foreman-0:3.1.1.21-2.el8sat",
    "impact" : "moderate"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3584\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3584" ],
  "name" : "CVE-2021-3584",
  "mitigation" : {
    "value" : "This vulnerability can be mitigated by setting following two values in `/etc/foreman/settings.yaml` file which will render them read-only from the application: \n:sendmail_location: '/usr/sbin/sendmail'\n:sendmail_arguments: '-i'",
    "lang" : "en:us"
  },
  "csaw" : false
}