CVE-2018-1096

Vulnerability

An SQL injection vulnerability exists in the dashboard controller of Foreman versions before 1.16.1. The id parameter (also referred to as the widget id parameter) is not properly sanitized before being used in SQL queries. This allows an authenticated user with access to the dashboard to inject arbitrary SQL commands. The affected component is the dashboard controller, and the flaw is present in all Foreman versions prior to 1.16.1 [2][3].

Exploitation

An attacker must have a valid Foreman account with permission to access the dashboard. By sending a crafted HTTP request to the dashboard endpoint with a malicious id parameter, the attacker can inject SQL code. The injected SQL is executed against the backend database, bypassing the intended query logic. No special network position is required beyond normal access to the Foreman web interface [2].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements on the backend database. This can lead to unauthorized reading, modification, or deletion of data, including sensitive information such as user credentials, host configurations, and other managed resources. The attacker gains the ability to compromise the confidentiality, integrity, and availability of the Foreman instance and its managed infrastructure [2].

Mitigation

The vulnerability is fixed in Foreman version 1.16.1. Users running older versions should upgrade to 1.16.1 or later. For Red Hat Satellite customers, the fix is included in RHSA-2018:2927 (Satellite 6.4) [1]. No workarounds are documented; upgrading is the recommended mitigation. The issue is tracked in Foreman issue #23028 [3].