GCVE - cpe:2.3:a:theforeman:foreman:1.9.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:theforeman:foreman:1.9.0:*:*:*:*:*:*:*

part: a version: 1.9.0 update: *

Vendor	Theforeman (`760bf134-312a-50ab-8452-1d7485d10f9b`)
Product	Foreman (`a88a3ac5-9a3c-5a4c-91ec-c5eca465eab6`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.574487
`pkg:deb/ubuntu/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.574489
`pkg:gem/foreman`	purl2cpe	2026-06-01 10:15:04.574490
`pkg:github/theforeman/foreman`	purl2cpe	2026-06-01 10:15:04.574492
`pkg:rpm/opensuse/rubygem-foreman`	purl2cpe	2026-06-01 10:15:04.574493

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2017-7505`	vulnerable	2026-06-08 05:09:56.253432	Details available Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. Published: 2017-05-26T16:00:00.000Z Updated: 2024-08-05T16:04:11.828Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/98607 http://projects.theforeman.org/issues/19612 https://github.com/theforeman/foreman/pull/4545	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-5282`	vulnerable	2026-06-08 05:06:49.426256	Details available Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after. Published: 2017-09-25T17:00:00.000Z Updated: 2024-08-06T06:41:09.516Z Open on db.gcve.eu Reference links https://github.com/theforeman/foreman/commit/4f3555b217be8723e8045f9816d147b5f684ec57 https://bugzilla.redhat.com/show_bug.cgi?id=1264221 http://www.openwall.com/lists/oss-security/2015/09/21/3 https://theforeman.org/security.html#2015-5282 http://projects.theforeman.org/issues/11859	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-5246`	vulnerable	2026-06-08 05:06:49.329255	Details available The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. Published: 2017-10-06T15:00:00.000Z Updated: 2024-08-06T06:41:08.818Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/11471 https://bugzilla.redhat.com/show_bug.cgi?id=1258700	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-5233`	vulnerable	2026-06-08 05:06:49.303261	Details available Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs. Published: 2016-04-11T21:00:00.000Z Updated: 2024-08-06T06:41:08.399Z Open on db.gcve.eu Reference links http://projects.theforeman.org/issues/11579 https://access.redhat.com/errata/RHSA-2015:2622 http://theforeman.org/security.html#CVE-2015-5233:reportsshow/destroynotrestrictedbyhostauthorization	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.