Branch c9f2 update bulletin.

Package foreman updated to version 1.24.3.6-alt0.1 for branch c9f2 in task 378456.

Published: 2022-12-16
Modified: 2024-11-21

CVE-2022-4130

A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server.

Severity: MEDIUM (4.5) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

References:

https://bugzilla.redhat.com/show_bug.cgi?id=2145254
https://bugzilla.redhat.com/show_bug.cgi?id=2145254

Published: 2024-10-31
Modified: 2024-11-06

CVE-2024-8553

A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information.

References:

RHSA-2024:8717
RHSA-2024:8718
RHSA-2024:8719
RHSA-2024:8906
https://access.redhat.com/security/cve/CVE-2024-8553
RHBZ#2312524

Version: 2.1.0

Branch c9f2 update on 2025-03-27

ALT-BU-2025-4822-1

ALT-PU-2025-4484-5

Closed vulnerabilities

CVE-2022-4130

CVE-2024-8553