CVE-2023-0462

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

A

n arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload.

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2023-0462	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2162970	Issue Tracking Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-0462	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2162970	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:satellite:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:37

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.1~~	v2 : unknown v3 : 8.0
References	~~() https://access.redhat.com/security/cve/CVE-2023-0462 - Third Party Advisory~~	() https://access.redhat.com/security/cve/CVE-2023-0462 - Third Party Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2162970 - Issue Tracking, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2162970 - Issue Tracking, Third Party Advisory

Information

Published : 2023-09-20 14:15

Updated : 2024-11-21 07:37

NVD link : CVE-2023-0462

Mitre link : CVE-2023-0462

CVE.ORG link : CVE-2023-0462

JSON object : View

Products Affected

satellite

foreman

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2023-0462", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2023-09-20T14:15:12.990", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-0462", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162970", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-0462", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162970", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la ejecuci\u00f3n de c\u00f3digo arbitrario en Foreman. Este problema puede permitir que un usuario administrador ejecute c\u00f3digo arbitrario en el sistema operativo subyacente estableciendo par\u00e1metros globales con un payload YAML."}], "lastModified": "2024-11-21T07:37:13.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13E27457-9E93-45C1-907F-7E5852B4FD1F", "versionEndExcluding": "3.8.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:satellite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1EF9AC67-8BDC-4B5E-B5A0-B9232033361B", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}