CVE-2018-14643
Description
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentication bypass in Foreman's smart_proxy_dynflow allows unauthenticated remote code execution on managed hosts.
Vulnerability
An authentication bypass flaw exists in the smart_proxy_dynflow component of Foreman, which handles remote execution jobs. The vulnerability allows an attacker to bypass authentication and execute arbitrary commands on machines managed by vulnerable Foreman instances. Affected versions include Foreman deployments using smart_proxy_dynflow prior to the fix merged in pull request #54 [2]. The issue is described in Red Hat security advisory [1] and NVD entry [3].
Exploitation
An attacker can send specially crafted requests to the smart_proxy_dynflow endpoint without any authentication. No prior access, user interaction, or special privileges are required. The attacker can then execute arbitrary commands on managed hosts through the remote execution feature.
Impact
Successful exploitation results in remote code execution with highly privileged context on machines managed by the Foreman instance. This compromises the confidentiality, integrity, and availability of the affected systems, potentially allowing full control over managed hosts.
Mitigation
The fix was implemented in pull request #54 [2] and released in updated packages. Red Hat provided errata [1] and the issue is tracked in Bugzilla [4]. Users should update to the patched version of smart_proxy_dynflow. No workaround is documented; upgrading is the recommended mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
smart_proxy_dynflowRubyGems | >= 0.2.0, < 0.2.1 | 0.2.1 |
smart_proxy_dynflowRubyGems | < 0.1.11 | 0.1.11 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- access.redhat.com/errata/RHSA-2018:2733ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-gx5g-xcxj-cx2wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14643ghsaADVISORY
- www.securityfocus.com/bid/105375mitrevdb-entryx_refsource_BID
- access.redhat.com/security/cve/CVE-2018-14643ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/smart_proxy_dynflow/CVE-2018-14643.ymlghsaWEB
- github.com/theforeman/smart_proxy_dynflow/pull/54ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.