Dismissed
Permalink
CVE-2025-9572
5.0 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @anthonyroussel Activity log
- Created automatic suggestion
-
@anthonyroussel
removed
6 packages
- wyoming-satellite
- xwayland-satellite
- home-assistant-component-tests.assist_satellite
- tests.home-assistant-component-tests.assist_satellite
- foreman
- satellite
- @anthonyroussel dismissed
Foreman: satellite: graphql api permission bypass leads to information disclosure
n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.
References
- RHSA-2025:21886 x_refsource_REDHAT vendor-advisory
- RHSA-2025:21893 x_refsource_REDHAT vendor-advisory
- RHSA-2025:21894 x_refsource_REDHAT vendor-advisory
- RHSA-2025:21897 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2025-9572 x_refsource_REDHAT vdb-entry
- RHBZ#2391715 issue-tracking x_refsource_REDHAT
- https://theforeman.org/security.html#2025-9572
Affected products
foreman
- *
- <3.16.2
satellite
- *
rubygem-katello
- *
Ignored packages (6)
pkgs.foreman
Process manager for applications with multiple components
pkgs.satellite
Program for showing navigation satellite data
pkgs.wyoming-satellite
Remote voice satellite using Wyoming protocol
pkgs.xwayland-satellite
Xwayland outside your Wayland compositor
pkgs.home-assistant-component-tests.assist_satellite
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-component-tests.assist_satellite
Open source home automation that puts local control and privacy first