Security CVE-2022-3874

[Doltair]

https://scout.docker.com/vulnerabilities/id/CVE-2022-3874?utm_source=desktop&utm_medium=ExternalLink

• A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.

  CVSS Score: | 9.1 CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Affected range: | <=3.8.0 Fix version: | Not yet available Publish date: | 2023-09-22

[irphilli]

Saw this come through as well, but it looks like this is being falsely attributed to this gem.

The "foreman" referenced in the CVE is part of Red Hat Satellite. References:

• https://bugzilla.redhat.com/show_bug.cgi?id=2140577
• https://theforeman.org/

[Doltair]

So weird yeah. How can we dismiss this false tagging of CVE? :cry:

[irphilli]

It looks like it has been withdrawn: https://github.com/advisories/GHSA-9jfq-54vc-9rr2

[Doltair]

all good now! it's not showing anymore from the scans! 😃 .

Closing this issue.