CVE-2024-6861: Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api

Description

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.

Classification

CVE ID: CVE-2024-6861

Problem Types

Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: , Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat

Product: , Red Hat Satellite 6.12 for RHEL 8, Red Hat Satellite 6.12 for RHEL 8, Red Hat Satellite 6.12 for RHEL 8, Red Hat Satellite 6, Red Hat Satellite 6, Red Hat Satellite 6

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.14% (probability of being exploited)

EPSS Percentile: 35.91% (scored less or equal to compared to others)

EPSS Date: 2025-05-08 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6861
https://access.redhat.com/errata/RHSA-2022:8506
https://access.redhat.com/security/cve/CVE-2024-6861
https://bugzilla.redhat.com/show_bug.cgi?id=2317450
https://docs.theforeman.org/3.3/Release_Notes/index-katello.html#_foreman_2
https://projects.theforeman.org/issues/34328

Timeline

2025-04-09 15:40:11 UTC
CVE

Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api