CVE-2024-4871

EPSS 3.04%
Veröffentlicht 14.05.2024 16:17:37
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Foreman: host ssh key not being checked in remote execution

A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "-o StrictHostKeyChecking=no". This flaw can lead to a man-in-the-middle attack (MITM), denial of service, leaking of secrets the remote execution job contains, or other issues that may arise from the attacker's ability to forge an SSH key. This issue does not directly allow unauthorized remote execution on the Satellite, although it can leak secrets that may lead to it.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

CNA 13 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/theforeman/foreman

≫

Paket foreman

Version 3.9.1.8

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:4.3.14-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:3.9.1.8-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 1:3.9.3.2-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:2.16.9-1.el8pc

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:3.39.15-1.el8pc

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:1.8.3-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:13.0.6-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:12.0.7-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:4.11.0.15-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:3.0.0-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:0.10.6-1.el8sat

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version 0:6.15.2-1.el8sat

Version < *

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.04%	0.867

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-322 Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

https://access.redhat.com/errata/RHBA-2024:4589

https://access.redhat.com/security/cve/CVE-2024-4871

https://bugzilla.redhat.com/show_bug.cgi?id=2278627

https://nvd.nist.gov/vuln/detail/CVE-2024-4871

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4871

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4871

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-4871