VYPR
← All advisories
Unrated severityNVD Advisory· Published May 12, 2021· Updated Aug 3, 2024

CVE-2021-3457

CVE-2021-3457

Description

An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Foreman Shellhooks plugin for smart-proxy lacks authorization, allowing authenticated local clients to perform server-restricted actions.

Vulnerability

The smart_proxy_shellhooks plugin for Foreman's smart-proxy contains an improper authorization handling flaw [1]. This allows any Foreman client (authenticated user) to execute actions that are intended to be limited to the Foreman Server itself [1]. The affected component is the Shellhooks plugin as used in upstream Foreman; Red Hat Satellite 6 does not ship this plugin and is not vulnerable [1]. The exact versions affected are not specified in the available references.

Exploitation

An authenticated local attacker can exploit this flaw by sending requests to the smart-proxy that invoke Shellhooks operations [1]. The attacker does not need special privileges beyond being a valid Foreman client [1]. No detailed exploitation steps are disclosed in the references.

Impact

Successful exploitation allows the attacker to access and delete limited resources on the Foreman server, and also causes a denial of service (DoS) on the Foreman server [1]. The highest threat is to integrity and system availability [1].

Mitigation

As a mitigation, disable the smart_proxy_shellhooks plugin on the Foreman server [1]. A fixed version of the plugin has not been announced in the available references; users should monitor the Foreman project for updates. Red Hat Satellite 6 is not affected [1].

References
  1. unauthorized users can execute actions that should be reserved for foreman

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.