Foreman Security Update Advisory (CVE-2024-7012, CVE-2024-7923)

Sep 09 2024

Overview

An update has been released to address vulnerabilities in Foreman. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-7012

Foreman versions: 2.2.0 or later version

CVE-2024-7923

Foreman versions: 2.4.0 or later version

Resolved Vulnerabilities

Authentication bypass vulnerability in Foreman due to puppet-foreman configuration (CVE-2024-7012)

Authentication bypass vulnerability in Pulpcore due to puppet-pulpcore configuration when deploying with Gunicorn 22.0 or below (CVE-2024-7923)

Vulnerability Patches

The following product-specific Vulnerability Patches have been made available with the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-7012, CVE-2024-7923

Foreman version: 3.10.1
Foreman version: 3.11.2
Foreman version: 3.12.0

References

[1] theforeman/Security

https://theforeman.org/security.html

[2] CVE-2024-7012: Authentication bypass in Foreman

https://projects.theforeman.org/issues/37786?tab=changesets

[3] CVE-2024-7923: Authentication bypass in Pulpcore

https://projects.theforeman.org/issues/37787?tab=changesets

Foreman Security Update Advisory (CVE-2024-7012, CVE-2024-7923)

Cisco Products September 2024 First Security Update Advisory

IBM Product Security Update Advisory

Tags:

Cisco Products September 2024 First Security Update Advisory

IBM Product Security Update Advisory