Bug 2317450 (CVE-2024-6861) - foreman: OAuth secret exposure via unauthenticated access to the GraphQL API Key Information: Bug ID: 2317450 CVE ID: CVE-2024-6861 Product: Security Response Component: vulnerability Version: unspecified Severity: high Status: NEW Reported: 2024-10-09 00:42 UTC by OSIDB Bzimport Modified: 2024-10-09 05:28 UTC Assignee: Product Security DevOps Team Doc Type: A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API. Target Milestone: --- Environment: --- Last Closed: --- Embargoed: --- Attachments: A flaw was found in foreman before version 3.3. The server exposes a GraphQL API with limited access. If introspection is enabled (usually by default), it allow attackers to query a settings type without any authentication and retrieve the product settings, including the OAuth consumer_key and OAuth consumer_secret properties. These elements can be used to authenticate as foreman_api_admin and gain full control of the product's REST API. Additional Information: Keywords: Security CC List: 8 users (show) Fixed In Version: --- URL: Link to the bug report Whiteboard: Link to the bug report Depends On: --- Blocks: --- TreeView+: depends on / blocked Note: You need to log in before you can comment on or make changes to this bug.