A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.
History

Wed, 06 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 06 Nov 2024 15:00:00 +0000

Type Values Removed Values Added
Title foreman: foreman: OAuth secret exposure via unauthenticated access to the GraphQL API Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api
First Time appeared Redhat satellite Maintenance
Redhat satellite Utils
CPEs cpe:/a:redhat:satellite:6
cpe:/a:redhat:satellite_maintenance:6.12::el8
cpe:/a:redhat:satellite_utils:6.12::el8
Vendors & Products Redhat satellite Maintenance
Redhat satellite Utils
References

Thu, 10 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat satellite
Redhat satellite Capsule
CPEs cpe:/a:redhat:satellite:6.12::el8
cpe:/a:redhat:satellite_capsule:6.12::el8
Vendors & Products Redhat
Redhat satellite
Redhat satellite Capsule

Wed, 09 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
Description A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.
Title foreman: foreman: OAuth secret exposure via unauthenticated access to the GraphQL API
Weaknesses CWE-200
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-11-06T14:54:51.099Z

Updated: 2024-11-06T16:16:15.642Z

Reserved: 2024-07-17T20:36:00.703Z

Link: CVE-2024-6861

cve-icon Vulnrichment

Updated: 2024-11-06T16:16:11.767Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-06T15:15:20.187

Modified: 2024-11-06T18:17:17.287

Link: CVE-2024-6861

cve-icon Redhat

Severity : Important

Publid Date: 2024-10-09T00:42:00Z

Links: CVE-2024-6861 - Bugzilla