Lucene search

RubySecRUBY:FOREMAN_ANSIBLE-2021-3589

HistoryMar 23, 2022 - 9:00 p.m.

Missing Authentication for Critical Function in Foreman Ansible

2022-03-2321:00:00

RubySec

access.redhat.com

authorization

foreman ansible

authentication

ansible jobs

data confidentiality

data integrity

system availability

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

JSON

An authorization flaw was found in Foreman Ansible. An authenticated attacker
with certain permissions to create and run Ansible jobs can access hosts
through job templates. The highest threat from this vulnerability is to data
confidentiality and integrity as well as system availability.

Affected configurations

Vulners

Node

rubyforeman_ansibleRange≤2.0.0

VendorProductVersionCPE
rubyforeman_ansible*cpe:2.3:a:ruby:foreman_ansible:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	foreman_ansible	*	cpe:2.3:a:ruby:foreman_ansible::::::::

References

access.redhat.com/security/cve/CVE-2021-3589

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

JSON

Related for RUBY:FOREMAN_ANSIBLE-2021-3589