CVE-2025-9572

Summary

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.

Affected Software

VendorProductVersion RangeStatus
The ForemanForeman1.22.0 < 3.16.2affected
Red HatRed Hat Satellite 6.15 for RHEL 80:3.9.1.14-1.el8sat < *unaffected
Red HatRed Hat Satellite 6.15 for RHEL 80:6.15.5.7-1.el8sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 80:3.12.0.12-1.el8sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 80:6.16.5.6-1.el8sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 90:3.12.0.12-1.el9sat < *unaffected
Red HatRed Hat Satellite 6.16 for RHEL 90:6.16.5.6-1.el9sat < *unaffected
Red HatRed Hat Satellite 6.17 for RHEL 90:3.14.0.11-1.el9sat < *unaffected
Red HatRed Hat Satellite 6.18 for RHEL 90:3.16.0.7-1.el9sat < *unaffected
Red HatRed Hat Satellite 6.18 for RHEL 90:4.18.0.4-1.el9sat < *unaffected
Red HatRed Hat Satellite 6.18 for RHEL 90:6.18.1-1.el9sat < *unaffected

Weaknesses

  • CWE-863: Incorrect Authorization

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References