CVE-2024-7012
Published: Sep 4, 2024
Modified: Nov 11, 2025
CVSS v3.1
9.8
Description
An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access.
| Vendor | Product | Versions |
|---|---|---|
Unknown | puppet-foreman | affected 0 - < 22.0 |
Red Hat | Red Hat Satellite 6.13 for RHEL 8 | unaffected 1:3.5.2.8-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.13 for RHEL 8 | unaffected 1:3.5.2.8-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.14 for RHEL 8 | unaffected 1:3.7.0.8-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.14 for RHEL 8 | unaffected 1:3.7.0.8-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.15 for RHEL 8 | unaffected 1:3.9.3.4-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.15 for RHEL 8 | unaffected 1:3.9.3.4-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.16 for RHEL 8 | unaffected 1:3.12.0.1-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.16 for RHEL 8 | unaffected 1:3.12.0.1-1.el8sat - < * |
Red Hat | Red Hat Satellite 6.16 for RHEL 9 | unaffected 1:3.12.0.1-1.el9sat - < * |
Red Hat | Red Hat Satellite 6.16 for RHEL 9 | unaffected 1:3.12.0.1-1.el9sat - < * |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now