GCVE - cpe:2.3:a:theforeman:foreman:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:theforeman:foreman:-:*:*:*:*:*:*:*

part: a version: - update: *

Vendor	Theforeman (`760bf134-312a-50ab-8452-1d7485d10f9b`)
Product	Foreman (`a88a3ac5-9a3c-5a4c-91ec-c5eca465eab6`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.526569
`pkg:deb/ubuntu/ruby-foreman`	purl2cpe	2026-06-01 10:15:04.526572
`pkg:gem/foreman`	purl2cpe	2026-06-01 10:15:04.526575
`pkg:github/theforeman/foreman`	purl2cpe	2026-06-01 10:15:04.526577
`pkg:rpm/opensuse/rubygem-foreman`	purl2cpe	2026-06-01 10:15:04.526580

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-7700`	vulnerable	2026-06-08 06:58:23.179492	Foreman: command injection in "host init config" template via "install packages" field on foreman MEDIUM (6.5) A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script. Published: 2024-08-12T16:48:54.120Z Updated: 2025-11-20T20:56:57.209Z Open on db.gcve.eu Reference links https://access.redhat.com/security/cve/CVE-2024-7700 https://bugzilla.redhat.com/show_bug.cgi?id=2304090	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-3874`	vulnerable	2026-06-08 05:48:22.517360	Os command injection via ct_command and fcct_command HIGH (8) A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system. Published: 2023-09-22T13:56:54.314Z Updated: 2024-09-24T15:01:27.145Z Open on db.gcve.eu Reference links https://access.redhat.com/security/cve/CVE-2022-3874 https://bugzilla.redhat.com/show_bug.cgi?id=2140577	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-14643`	vulnerable	2026-06-08 05:10:53.193009	Details available CRITICAL (9.8) An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context. Published: 2018-09-21T13:00:00.000Z Updated: 2024-08-05T09:38:12.833Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/105375 https://github.com/theforeman/smart_proxy_dynflow/pull/54 https://access.redhat.com/errata/RHSA-2018:2733 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14643	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-0091`	vulnerable	2026-06-08 05:05:11.390731	Details available Foreman has improper input validation which could lead to partial Denial of Service Published: 2019-12-11T14:11:04.000Z Updated: 2024-08-06T09:05:38.172Z Open on db.gcve.eu Reference links https://security-tracker.debian.org/tracker/CVE-2014-0091 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0091 https://access.redhat.com/security/cve/cve-2014-0091	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.