CVE-2023-2825: Is Foreman 3.6.1/3.3.0 affected?

Andreas · June 14, 2023, 1:25pm

Problem:
Hello,

there is a security issue on GitLab (GitLab 16.0.0 < 16.0.1 (CVE-2023-2825) | Tenable®) with a high severity. We can see that foreman is using a rubygem with gitlab inside.

Is foreman affected to this CVE?

Foreman 3.6.1: rubygem-gitlab-sidekiq-fetcher-0.9.0-2.el8.noarch
Foreman 3.3.0: tfm-rubygem-gitlab-sidekiq-fetcher-0.6.0-2.el7.noarch

Expected outcome:
A solution/fix/workaround if it is affected.

Foreman and Proxy versions:
Foreman 3.3.0:
foreman-3.3.0-1.el7.noarch
foreman-proxy-3.3.0-1.el7.noarch

Foreman 3.6.1:
foreman-3.6.1-1.el8.noarch
foreman-proxy-3.6.1-1.el8.noarch

Foreman and Proxy plugin versions:

Distribution and version:
Foreman 3.3.0: RHEL7
Foreman 3.6.1: RHEL8

Other relevant data:

Dirk · June 14, 2023, 1:48pm

gitlab-sidekiq-fetcher is a rubygem implementing a “Redis reliable queue pattern implemented in Sidekiq” so has nothing to do with a path traversal in Gitlab’s webinterface and there is no gitlab inside this rumgem except in its name.

Andreas · June 14, 2023, 1:59pm

Thank’s for your answer and the very quick response.
Best regards.