CVE-2024-7700

EPSS 0.17%
Published 12.08.2024 17:15:18
Last modified 16.09.2024 14:20:21
Source secalert@redhat.com
Teams watchlist Login
Open Login

A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Theforeman ≫ Foreman Version-

Redhat ≫ Satellite Version6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.383

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	0.6	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
secalert@redhat.com	6.5	0.6	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://access.redhat.com/security/cve/CVE-2024-7700

Third Party Advisory

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2304090

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-7700

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7700

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7700

EUVD