CVE-2024-6861
📋 TL;DR
This vulnerability in Foreman's GraphQL API allows attackers to retrieve sensitive admin authentication keys when introspection is enabled. This could lead to full API compromise. All Foreman installations with GraphQL introspection enabled are affected.
💻 Affected Systems
- Foreman
- Katello
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Foreman API leading to unauthorized administrative access, data exfiltration, and potential lateral movement to managed systems.
Likely Case
Attackers gain admin API access, allowing them to modify configurations, create/delete resources, and access sensitive infrastructure data.
If Mitigated
Limited impact if introspection is disabled or proper network segmentation prevents unauthorized access to GraphQL endpoints.
🎯 Exploit Status
Exploitation requires only GraphQL introspection queries, which are standard GraphQL functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Foreman 3.3.0 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-6861
Restart Required: Yes
Instructions:
1. Update Foreman to version 3.3.0 or later. 2. Apply the Red Hat Security Advisory RHSA-2022:8506 if using Red Hat Satellite. 3. Restart Foreman services.
🔧 Temporary Workarounds
Disable GraphQL Introspection
linuxDisable GraphQL introspection feature to prevent information disclosure
Edit Foreman configuration to set 'graphql_introspection: false' in settings.yaml
Restrict GraphQL API Access
allImplement network controls to restrict access to GraphQL endpoints
Configure firewall rules to limit GraphQL API access to trusted networks only
🧯 If You Can't Patch
- Immediately disable GraphQL introspection in Foreman configuration
- Implement strict network segmentation and firewall rules to limit GraphQL API access
🔍 How to Verify
Check if Vulnerable:
Check if GraphQL introspection is enabled and Foreman version is below 3.3.0Check Version:
foreman --versionVerify Fix Applied:
Verify Foreman version is 3.3.0 or later and GraphQL introspection is disabled or properly secured📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL introspection queries
- Multiple failed authentication attempts followed by successful admin API access
Network Indicators:
- GraphQL introspection queries to Foreman API endpoints from unauthorized sources
SIEM Query:
source="foreman" AND (query="__schema" OR query="__type" OR query="introspection")