{"api_version":"1","generated_at":"2026-04-22T21:37:39+00:00","cve":"CVE-2021-3584","urls":{"html":"https://cve.report/CVE-2021-3584","api":"https://cve.report/api/cve/CVE-2021-3584.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3584","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3584"},"summary":{"title":"CVE-2021-3584","description":"A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-12-23 20:15:00","updated_at":"2022-01-05 18:58:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://projects.theforeman.org/issues/32753","name":"https://projects.theforeman.org/issues/32753","refsource":"MISC","tags":[],"title":"Bug #32753: CVE-2021-3584: Remote code execution through Sendmail configuration - Foreman","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/theforeman/foreman/pull/8599","name":"https://github.com/theforeman/foreman/pull/8599","refsource":"MISC","tags":[],"title":"Fixes #32753 - Remote code execution through Sendmail by lzap · Pull Request #8599 · theforeman/foreman · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1968439","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1968439","refsource":"MISC","tags":[],"title":"1968439 – (CVE-2021-3584) CVE-2021-3584 foreman: Authenticate remote code execution through Sendmail configuration","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3584","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3584","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3584","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"satellite","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3584","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"theforeman","cpe5":"foreman","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3584","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"theforeman","cpe5":"foreman","cpe6":"3.0.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3584","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"theforeman","cpe5":"foreman","cpe6":"3.0.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3584","qid":"240566","title":"Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)"},{"cve":"CVE-2021-3584","qid":"960505","title":"Rocky Linux Security Update for Satellite (RLSA-2022:5498)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-3584","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"foreman","version":{"version_data":[{"version_value":"foreman 2.4.1, foreman 2.5.1, foreman 3.0.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://projects.theforeman.org/issues/32753","url":"https://projects.theforeman.org/issues/32753"},{"refsource":"MISC","name":"https://github.com/theforeman/foreman/pull/8599","url":"https://github.com/theforeman/foreman/pull/8599"},{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1968439","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1968439"}]},"description":{"description_data":[{"lang":"eng","value":"A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0."}]}},"nvd":{"publishedDate":"2021-12-23 20:15:00","lastModifiedDate":"2022-01-05 18:58:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9},"severity":"HIGH","exploitabilityScore":8,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","versionEndExcluding":"2.4.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.0","versionEndExcluding":"2.5.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:theforeman:foreman:3.0.0:rc1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:theforeman:foreman:3.0.0:rc2:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:satellite:6.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3584","Ordinal":"209362","Title":"CVE-2021-3584","CVE":"CVE-2021-3584","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3584","Ordinal":"1","NoteData":"A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"3584","Ordinal":"2","NoteData":"2021-12-23","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"3584","Ordinal":"3","NoteData":"2021-12-23","Type":"Other","Title":"Modified"}]}}}