CVE-2021-3584: 
NixOS vulnerability analysis and mitigation

CVE-2021-3584 is a server-side remote code execution vulnerability discovered in the Foreman project. The vulnerability allows an authenticated attacker to exploit Sendmail configuration options to overwrite defaults and perform command injection. The vulnerability was fixed in Foreman versions 2.4.1, 2.5.1, and 3.0.0 (NVD, CVE).

The vulnerability exists in the Sendmail configuration settings accessible via Administer - Settings interface. Both sendmaillocation and sendmailarguments settings accept arbitrary strings that are passed directly into the shell. The vulnerability has a CVSS v3.1 base score of 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, Foreman PR).

The vulnerability poses a significant threat to system confidentiality, integrity, and availability. If exploited, it could allow authenticated attackers to execute arbitrary commands with system-level privileges on the affected Foreman server (NVD, Bugzilla).

Prior to patching, administrators can mitigate the vulnerability by removing editsettings permissions from all roles and users. Alternatively, they can create settings named sendmaillocation and sendmail_arguments in settings.yaml file to override the UI and make the values read-only. The permanent fix limits the possible values for sendmail location to specific paths and implements shellescaping for arguments (Foreman PR).