Security Features in Foreman



Published: 2017-10-06 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2015-5246
CWE-ID CWE-254
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Foreman
Web applications / Remote management & hosting panels

Vendor Foreman

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Security Features

EUVDB-ID: #VU38131

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-5246

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Foreman: 1.9.0

CPE2.3 External links

http://projects.theforeman.org/issues/11471
http://bugzilla.redhat.com/show_bug.cgi?id=1258700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###