Foreman GraphQL API Sensitive Data Exposure
CVE-2024-6861 Published on November 6, 2024

Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api
A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-6861 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 5 days later.

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2024-6861 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2024-6861

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-6861 are published in these products:

Theforeman Foreman
 
Red Hat Satellite
 
Red Hat Satellite Utils
 
Red Hat Satellite Capsule
 
Red Hat Satellite Maintenance
 

Exploit Probability

EPSS
0.29%
Percentile
52.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.