We found an SQL Injection vulnerability in the Foreman search mechanism.
Foreman uses external gem, scoped_search, to translate the search queries to SQL queries.
The scoped_search gem can only translate the search query into a single SQL query.
In Foreman we have a complex database schema. In some cases the queries that we want
to enable in the Foreman search, cannot be translated into a single SQL query.
To solve that challenge in Foreman, we used the scoped_search extension option.
That option allows the developer to create an SQL condition based on the result
of preliminary queries. The vulnerability was found in Foreman preliminary queries
code. Some of the preliminary queries did not escape single quote in the query
The Issue affect the following search queries:
A. In the Hosts index page in queries that search by user, puppetclass or parameter.
B. In the Puppetclass index page in query that search by host.
A fix was pushed to both develop branch and 1.0-stable branch.
New packages for Foreman 1.0.2, that fixes the issue, are available.