Actions
Bug #14140
closed
Arbitrary Ruby code execution via Discovery setting
Status:
Resolved
Priority:
Normal
Assignee:
Category:
Image
Target version:
Difficulty:
trivial
Triaged:
Description
We have couple of evals during review of new Discovery Show page:
You can run arbitrary Ruby code by entering it on the About - Settings - Discovery and then visiting a discovered host detail page where it gets rendered.
Updated by Lukas Zapletal about 8 years ago
- Status changed from New to Ready For Testing
- Assignee changed from Lukas Zapletal to Alon Goldboim
- Pull request https://github.com/theforeman/foreman_discovery/pull/260 added
Updated by Dominic Cleal about 8 years ago
- Private changed from Yes to No
Marking as public as it's been referenced in the associated pull request.
Lukas has also reported it to foreman-security and since this only affects the version of Discovery that's used with a release candidate version of Foreman, no CVE will be assigned as it's generally pre-release. The issue should be resolved in time for 1.11.0's release and it should be documented on http://theforeman.org/security.html.
Updated by Lukas Zapletal about 8 years ago
- Status changed from Ready For Testing to Resolved
Merged into develop and 5.0 series, bugfix release by EOBW.
Actions