CVE-2023-2825: Is Foreman 3.6.1/3.3.0 affected?


there is a security issue on GitLab (GitLab 16.0.0 < 16.0.1 (CVE-2023-2825) | Tenable®) with a high severity. We can see that foreman is using a rubygem with gitlab inside.

Is foreman affected to this CVE?

Foreman 3.6.1: rubygem-gitlab-sidekiq-fetcher-0.9.0-2.el8.noarch
Foreman 3.3.0: tfm-rubygem-gitlab-sidekiq-fetcher-0.6.0-2.el7.noarch

Expected outcome:
A solution/fix/workaround if it is affected.

Foreman and Proxy versions:
Foreman 3.3.0:

Foreman 3.6.1:

Foreman and Proxy plugin versions:

Distribution and version:
Foreman 3.3.0: RHEL7
Foreman 3.6.1: RHEL8

Other relevant data:

gitlab-sidekiq-fetcher is a rubygem implementing a “Redis reliable queue pattern implemented in Sidekiq” so has nothing to do with a path traversal in Gitlab’s webinterface and there is no gitlab inside this rumgem except in its name.

Thank’s for your answer and the very quick response.
Best regards.