Уязвимость функции YAML.load() библиотеки синтаксического анализатора YAML приложения для управления, настройки и мониторинга сервера Foreman и программного средства для управления системами Red Hat Satellite, позволяющая нарушителю выполнить произвольный код

An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload.

A sensitive information exposure vulnerability was found in foreman. Contents of tomcat's server.xml file, which contain passwords to candlepin's keystore and truststore, were found to be world readable.

A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information.