{ "threat_severity" : "Important", "public_date" : "2023-03-21T00:00:00Z", "bugzilla" : { "description" : "Satellite/Foreman: Arbitrary code execution through yaml global parameters", "id" : "2162970", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2162970" }, "cvss3" : { "cvss3_base_score" : "9.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-94", "details" : [ "An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload.", "An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload." ], "acknowledgement" : "Red Hat would like to thank Andrew Danau (Onsec.io) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Satellite 6.11 for RHEL 7", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5980", "cpe" : "cpe:/a:redhat:satellite_utils:6.11::el7", "package" : "foreman-0:3.1.1.27-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.11 for RHEL 8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5980", "cpe" : "cpe:/a:redhat:satellite_utils:6.11::el8", "package" : "foreman-0:3.1.1.27-1.el8sat" }, { "product_name" : "Red Hat Satellite 6.12 for RHEL 8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5979", "cpe" : "cpe:/a:redhat:satellite_utils:6.12::el8", "package" : "foreman-0:3.3.0.23-1.el8sat" }, { "product_name" : "Red Hat Satellite 6.13 for RHEL 8", "release_date" : "2023-10-19T00:00:00Z", "advisory" : "RHSA-2023:5931", "cpe" : "cpe:/a:redhat:satellite_utils:6.13::el8", "package" : "foreman-0:3.5.1.23-1.el8sat" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-0462\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0462" ], "name" : "CVE-2023-0462", "csaw" : false }