CVE-2024-7012 CRITICAL

CVE-2024-7012: Puppet-foreman: an authentication bypass vulnerability exists in foreman

Weakness CWE-287 · Improper authentication
Published September 4, 2024
Last update November 11, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access.

Key dates

02Disclosure timeline

September 4, 2024 CVE published
November 11, 2025 Record updated