Hello all!
Foreman Discovery 5.0.2 update is on our servers ready for update. This
is an security release covering one individual problem. It is possible
to run arbitrary Ruby code entering it on the Administer
- Settings - Discovery and then visiting a discovered host detail page
where it gets rendered.
- Affects Foreman Discovery 4.2.0 to 5.0.1 (gem releases only, rc and
nightly builds) - Discovery plugin 4.1 series (shipped with Foreman 1.10) was not
affected. - Fixed in Discovery plugin 5.0.2
- Redmine issue Bug #14140: Arbitrary Ruby code execution via Discovery setting - Discovery - Foreman
For more info visit
http://theforeman.org/security.html#2016-discovery-settings