CVE-2025-9572

Опубликовано: 27 фев. 2026

Источник: nvd

CVSS3: 5

CVSS3: 6.5

EPSS Низкий

Описание

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.

Ссылки

https://access.redhat.com/errata/RHSA-2025:21886
Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:21893
Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:21894
Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:21897
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2025-9572
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2391715
Issue Tracking
https://theforeman.org/security.html#2025-9572
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*

Версия от 1.22.0 (включая) до 3.16.2 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:redhat:satellite:6.15:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.16:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.17:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.18:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite_capsule:6.15:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite_capsule:6.16:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite_capsule:6.17:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite_capsule:6.18:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 1%

0.0001

Низкий

5 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

CVE-2025-9572

CVSS3: 5

ubuntu

около 1 месяца назад

CVE-2025-9572

CVSS3: 5

redhat

7 месяцев назад

CVE-2025-9572

CVSS3: 5

debian

около 1 месяца назад

n authorization flaw in Foreman's GraphQL API allows low-privileged us ...

GHSA-gvvp-xfg4-2fr6

CVSS3: 5

github

около 1 месяца назад

EPSS

Процентиль: 1%

0.0001

Низкий

5 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-863