8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3589

GHSA ID

GHSA-vvff-6wrr-4g7q

EPSS Score

0.44646%

CWE

CWE-306

Published

3/24/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3589

CVE-2021-3589:
Missing Authentication for Critical Function in Foreman Ansible

An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3589

GHSA ID

GHSA-vvff-6wrr-4g7q

EPSS Score

0.44646%

CWE

CWE-306

Published

3/24/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
foreman_ansible	rubygems	< 2.0.0	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient authorization checks in Remote Execution (REX) integration. The AnsibleProvider's proxy_command_options merges host parameters into the ansible_inventory without validating the user's right to access those hosts. The AnsibleRunner initialization accepts these parameters directly, and the SettingsOverride bypasses normal security checks when ansible_inventory is provided. Together, these functions allow authenticated attackers to craft job templates that execute on unauthorized hosts via manipulated inventory data, consistent with CWE-306's 'Missing Authentication for Critical Function' description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut*oriz*tion *l*w w*s *oun* in *or*m*n *nsi*l*. *n *ut**nti**t** *tt**k*r wit* **rt*in p*rmissions to *r**t* *n* run *nsi*l* jo*s **n ****ss *osts t*rou** jo* t*mpl*t*s. T** *i***st t*r**t *rom t*is vuln*r**ility is to **t* *on*i**nti*lity *n* in

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *ut*oriz*tion ****ks in R*mot* *x**ution (R*X) int**r*tion. T** *nsi*l*Provi**r's proxy_*omm*n*_options m*r**s *ost p*r*m*t*rs into t** *nsi*l*_inv*ntory wit*out v*li**tin* t** us*r's ri**t to ****ss t*os* *o

8.1

Basic Information

Concerned about an active attack path?

CVE-2021-3589: Missing Authentication for Critical Function in Foreman Ansible

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-3589:
Missing Authentication for Critical Function in Foreman Ansible

Vulnerability Intelligence
Miggo AI