GitHub Advisory DatabaseGHSA-VVFF-6WRR-4G7QMissing Authentication for Critical Function in Foreman Ansible
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
37.0%
An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| theforeman | foreman_ansible | * | cpe:2.3:a:theforeman:foreman_ansible:*:*:*:*:*:*:*:* |
References
access.redhat.com/security/cve/CVE-2021-3589
bugzilla.redhat.com/show_bug.cgi?id=1969265
github.com/advisories/GHSA-vvff-6wrr-4g7q
github.com/rubysec/ruby-advisory-db/blob/master/gems/foreman_ansible/CVE-2021-3589.yml
github.com/theforeman/foreman_ansible/commit/a5e0827bc3ec6c8ab82f968907857a15646305d5
nvd.nist.gov/vuln/detail/CVE-2021-3589
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
37.0%