Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for katello by theforeman

    CVE-2013-4120 (GCVE-0-2013-4120)

    Vulnerability from nvd – Published: 2019-12-10 14:32 – Updated: 2024-08-06 16:30
    VLAI
    Summary
    Katello has a Denial of Service vulnerability in API OAuth authentication
    Severity
    No CVSS data available.
    CWE
    • DoS in API OAuth authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Katello Katello Affected: through 2013-07-12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T16:30:50.046Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4120"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2013-4120"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Katello",
              "vendor": "Katello",
              "versions": [
                {
                  "status": "affected",
                  "version": "through 2013-07-12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Katello has a Denial of Service vulnerability in API OAuth authentication"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "DoS in API OAuth authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-10T14:32:37.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4120"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2013-4120"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-4120",
        "datePublished": "2019-12-10T14:32:37.000Z",
        "dateReserved": "2013-06-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T16:30:50.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-0283 (GCVE-0-2013-0283)

    Vulnerability from nvd – Published: 2019-12-05 16:02 – Updated: 2024-08-06 14:18
    VLAI
    Summary
    Katello: Username in Notification page has cross site scripting
    Severity
    No CVSS data available.
    CWE
    • Username in Notification page XSS
    Assigner
    References
    Impacted products
    Vendor Product Version
    Katello Katello Affected: through 2013-02-13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T14:18:09.781Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0283"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2013-0283"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Katello",
              "vendor": "Katello",
              "versions": [
                {
                  "status": "affected",
                  "version": "through 2013-02-13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Katello: Username in Notification page has cross site scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Username in Notification page XSS",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-05T16:02:14.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0283"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2013-0283"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-0283",
        "datePublished": "2019-12-05T16:02:14.000Z",
        "dateReserved": "2012-12-06T00:00:00.000Z",
        "dateUpdated": "2024-08-06T14:18:09.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2101 (GCVE-0-2013-2101)

    Vulnerability from nvd – Published: 2019-12-03 13:08 – Updated: 2024-08-06 15:27
    VLAI
    Summary
    Katello has multiple XSS issues in various entities
    Severity
    No CVSS data available.
    CWE
    • Multiple XSS in various entities
    Assigner
    References
    Impacted products
    Vendor Product Version
    Katello Katello Affected: through 2013-05-16
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:27:40.626Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2101"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2013-2101"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Katello",
              "vendor": "Katello",
              "versions": [
                {
                  "status": "affected",
                  "version": "through 2013-05-16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Katello has multiple XSS issues in various entities"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Multiple XSS in various entities",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-03T13:08:36.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2101"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2013-2101"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-2101",
        "datePublished": "2019-12-03T13:08:36.000Z",
        "dateReserved": "2013-02-19T00:00:00.000Z",
        "dateUpdated": "2024-08-06T15:27:40.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-14825 (GCVE-0-2019-14825)

    Vulnerability from nvd – Published: 2019-11-25 00:00 – Updated: 2024-08-05 00:26
    VLAI
    Summary
    A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Red Hat katello Affected: katello versions 3.x.x.x before katello 3.12.0.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T00:26:39.129Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello",
              "vendor": "Red Hat",
              "versions": [
                {
                  "status": "affected",
                  "version": "katello versions 3.x.x.x before katello 3.12.0.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-07T00:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-14825",
        "datePublished": "2019-11-25T00:00:00.000Z",
        "dateReserved": "2019-08-10T00:00:00.000Z",
        "dateUpdated": "2024-08-05T00:26:39.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16887 (GCVE-0-2018-16887)

    Vulnerability from nvd – Published: 2019-01-13 02:00 – Updated: 2024-08-05 10:39
    VLAI
    Summary
    A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
    CWE
    Assigner
    References
    URL Tags
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:1222 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Date Public
    2018-10-11 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:39:57.671Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"
              },
              {
                "name": "RHSA-2019:1222",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1222"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello",
              "vendor": "The Katello Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.9.0"
                }
              ]
            }
          ],
          "datePublic": "2018-10-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-14T16:06:05.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"
            },
            {
              "name": "RHSA-2019:1222",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1222"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-16887",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "katello",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Katello Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"
                },
                {
                  "name": "RHSA-2019:1222",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1222"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-16887",
        "datePublished": "2019-01-13T02:00:00.000Z",
        "dateReserved": "2018-09-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:39:57.671Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-14623 (GCVE-0-2018-14623)

    Vulnerability from nvd – Published: 2018-12-13 22:00 – Updated: 2024-08-05 09:29
    VLAI
    Summary
    A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable.
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Foreman Project katello Affected: 3.10 and older
    Create a notification for this product.
    Date Public
    2018-12-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T09:29:51.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14623"
              },
              {
                "name": "106224",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello",
              "vendor": "The Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.10 and older"
                }
              ]
            }
          ],
          "datePublic": "2018-12-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A SQL injection flaw was found in katello\u0027s errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-12-18T10:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14623"
            },
            {
              "name": "106224",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106224"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-14623",
        "datePublished": "2018-12-13T22:00:00.000Z",
        "dateReserved": "2018-07-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T09:29:51.865Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-2662 (GCVE-0-2017-2662)

    Vulnerability from nvd – Published: 2018-08-22 16:00 – Updated: 2024-08-05 14:02
    VLAI
    Summary
    A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2017-03-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:02:07.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2662"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://projects.theforeman.org/issues/18838"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "foreman katello plugin",
              "vendor": "The Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.5"
                }
              ]
            }
          ],
          "datePublic": "2017-03-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Foreman\u0027s katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-08-22T15:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2662"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://projects.theforeman.org/issues/18838"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-2662",
        "datePublished": "2018-08-22T16:00:00.000Z",
        "dateReserved": "2016-12-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:02:07.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-9595 (GCVE-0-2016-9595)

    Vulnerability from nvd – Published: 2018-07-27 18:00 – Updated: 2024-08-06 02:59
    VLAI
    Summary
    A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:0336 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Foreman katello-debug Affected: 3.4.0
    Create a notification for this product.
    Date Public
    2018-07-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:59:02.231Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello-debug",
              "vendor": "Foreman",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-377",
                  "description": "CWE-377",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-28T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-9595",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "katello-debug",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Foreman"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ],
                [
                  {
                    "vectorString": "6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C",
                    "version": "2.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-377"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:0336",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0336"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-9595",
        "datePublished": "2018-07-27T18:00:00.000Z",
        "dateReserved": "2016-11-23T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:59:02.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2143 (GCVE-0-2013-2143)

    Vulnerability from nvd – Published: 2014-04-17 14:00 – Updated: 2024-08-06 15:27
    VLAI
    Summary
    The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.exploit-db.com/exploits/32515 exploitx_refsource_EXPLOIT-DB
    http://packetstormsecurity.com/files/125866/Katel… x_refsource_MISC
    http://www.securityfocus.com/bid/66434 vdb-entryx_refsource_BID
    http://www.osvdb.org/104981 vdb-entryx_refsource_OSVDB
    Date Public
    2014-03-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:27:40.812Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "32515",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/32515"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.html"
              },
              {
                "name": "66434",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/66434"
              },
              {
                "name": "104981",
                "tags": [
                  "vdb-entry",
                  "x_refsource_OSVDB",
                  "x_transferred"
                ],
                "url": "http://www.osvdb.org/104981"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-03-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2014-04-17T12:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "32515",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/32515"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.html"
            },
            {
              "name": "66434",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/66434"
            },
            {
              "name": "104981",
              "tags": [
                "vdb-entry",
                "x_refsource_OSVDB"
              ],
              "url": "http://www.osvdb.org/104981"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-2143",
        "datePublished": "2014-04-17T14:00:00.000Z",
        "dateReserved": "2013-02-19T00:00:00.000Z",
        "dateUpdated": "2024-08-06T15:27:40.812Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2012-3503 (GCVE-0-2012-3503)

    Vulnerability from nvd – Published: 2012-08-25 10:00 – Updated: 2024-08-06 20:05
    VLAI
    Summary
    The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://secunia.com/advisories/50344 third-party-advisoryx_refsource_SECUNIA
    http://rhn.redhat.com/errata/RHSA-2012-1187.html vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/55140 vdb-entryx_refsource_BID
    https://github.com/Katello/katello/pull/499 x_refsource_CONFIRM
    https://github.com/Katello/katello/commit/7c256fe… x_refsource_CONFIRM
    http://rhn.redhat.com/errata/RHSA-2012-1186.html vendor-advisoryx_refsource_REDHAT
    Date Public
    2012-08-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T20:05:12.721Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "50344",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/50344"
              },
              {
                "name": "RHSA-2012:1187",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2012-1187.html"
              },
              {
                "name": "55140",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/55140"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/Katello/katello/pull/499"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3"
              },
              {
                "name": "RHSA-2012:1186",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2012-1186.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2012-08-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-03-22T09:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "50344",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/50344"
            },
            {
              "name": "RHSA-2012:1187",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2012-1187.html"
            },
            {
              "name": "55140",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/55140"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/Katello/katello/pull/499"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3"
            },
            {
              "name": "RHSA-2012:1186",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2012-1186.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2012-3503",
        "datePublished": "2012-08-25T10:00:00.000Z",
        "dateReserved": "2012-06-14T00:00:00.000Z",
        "dateUpdated": "2024-08-06T20:05:12.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-4120 (GCVE-0-2013-4120)

    Vulnerability from cvelistv5 – Published: 2019-12-10 14:32 – Updated: 2024-08-06 16:30
    VLAI
    Summary
    Katello has a Denial of Service vulnerability in API OAuth authentication
    Severity
    No CVSS data available.
    CWE
    • DoS in API OAuth authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Katello Katello Affected: through 2013-07-12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T16:30:50.046Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4120"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2013-4120"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Katello",
              "vendor": "Katello",
              "versions": [
                {
                  "status": "affected",
                  "version": "through 2013-07-12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Katello has a Denial of Service vulnerability in API OAuth authentication"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "DoS in API OAuth authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-10T14:32:37.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4120"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2013-4120"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-4120",
        "datePublished": "2019-12-10T14:32:37.000Z",
        "dateReserved": "2013-06-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T16:30:50.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-0283 (GCVE-0-2013-0283)

    Vulnerability from cvelistv5 – Published: 2019-12-05 16:02 – Updated: 2024-08-06 14:18
    VLAI
    Summary
    Katello: Username in Notification page has cross site scripting
    Severity
    No CVSS data available.
    CWE
    • Username in Notification page XSS
    Assigner
    References
    Impacted products
    Vendor Product Version
    Katello Katello Affected: through 2013-02-13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T14:18:09.781Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0283"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2013-0283"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Katello",
              "vendor": "Katello",
              "versions": [
                {
                  "status": "affected",
                  "version": "through 2013-02-13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Katello: Username in Notification page has cross site scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Username in Notification page XSS",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-05T16:02:14.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0283"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2013-0283"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-0283",
        "datePublished": "2019-12-05T16:02:14.000Z",
        "dateReserved": "2012-12-06T00:00:00.000Z",
        "dateUpdated": "2024-08-06T14:18:09.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2101 (GCVE-0-2013-2101)

    Vulnerability from cvelistv5 – Published: 2019-12-03 13:08 – Updated: 2024-08-06 15:27
    VLAI
    Summary
    Katello has multiple XSS issues in various entities
    Severity
    No CVSS data available.
    CWE
    • Multiple XSS in various entities
    Assigner
    References
    Impacted products
    Vendor Product Version
    Katello Katello Affected: through 2013-05-16
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:27:40.626Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2101"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/cve-2013-2101"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Katello",
              "vendor": "Katello",
              "versions": [
                {
                  "status": "affected",
                  "version": "through 2013-05-16"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Katello has multiple XSS issues in various entities"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Multiple XSS in various entities",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-03T13:08:36.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2101"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/cve-2013-2101"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-2101",
        "datePublished": "2019-12-03T13:08:36.000Z",
        "dateReserved": "2013-02-19T00:00:00.000Z",
        "dateUpdated": "2024-08-06T15:27:40.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-14825 (GCVE-0-2019-14825)

    Vulnerability from cvelistv5 – Published: 2019-11-25 00:00 – Updated: 2024-08-05 00:26
    VLAI
    Summary
    A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Red Hat katello Affected: katello versions 3.x.x.x before katello 3.12.0.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T00:26:39.129Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello",
              "vendor": "Red Hat",
              "versions": [
                {
                  "status": "affected",
                  "version": "katello versions 3.x.x.x before katello 3.12.0.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-07T00:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-14825",
        "datePublished": "2019-11-25T00:00:00.000Z",
        "dateReserved": "2019-08-10T00:00:00.000Z",
        "dateUpdated": "2024-08-05T00:26:39.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16887 (GCVE-0-2018-16887)

    Vulnerability from cvelistv5 – Published: 2019-01-13 02:00 – Updated: 2024-08-05 10:39
    VLAI
    Summary
    A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable.
    CWE
    Assigner
    References
    URL Tags
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2019:1222 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Date Public
    2018-10-11 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:39:57.671Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"
              },
              {
                "name": "RHSA-2019:1222",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1222"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello",
              "vendor": "The Katello Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.9.0"
                }
              ]
            }
          ],
          "datePublic": "2018-10-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-14T16:06:05.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"
            },
            {
              "name": "RHSA-2019:1222",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1222"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-16887",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "katello",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Katello Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16887"
                },
                {
                  "name": "RHSA-2019:1222",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1222"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-16887",
        "datePublished": "2019-01-13T02:00:00.000Z",
        "dateReserved": "2018-09-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:39:57.671Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-14623 (GCVE-0-2018-14623)

    Vulnerability from cvelistv5 – Published: 2018-12-13 22:00 – Updated: 2024-08-05 09:29
    VLAI
    Summary
    A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable.
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Foreman Project katello Affected: 3.10 and older
    Create a notification for this product.
    Date Public
    2018-12-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T09:29:51.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14623"
              },
              {
                "name": "106224",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106224"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello",
              "vendor": "The Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.10 and older"
                }
              ]
            }
          ],
          "datePublic": "2018-12-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A SQL injection flaw was found in katello\u0027s errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-12-18T10:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14623"
            },
            {
              "name": "106224",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106224"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-14623",
        "datePublished": "2018-12-13T22:00:00.000Z",
        "dateReserved": "2018-07-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T09:29:51.865Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-2662 (GCVE-0-2017-2662)

    Vulnerability from cvelistv5 – Published: 2018-08-22 16:00 – Updated: 2024-08-05 14:02
    VLAI
    Summary
    A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2017-03-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:02:07.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2662"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://projects.theforeman.org/issues/18838"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "foreman katello plugin",
              "vendor": "The Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.5"
                }
              ]
            }
          ],
          "datePublic": "2017-03-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Foreman\u0027s katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-08-22T15:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2662"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://projects.theforeman.org/issues/18838"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-2662",
        "datePublished": "2018-08-22T16:00:00.000Z",
        "dateReserved": "2016-12-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:02:07.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-9595 (GCVE-0-2016-9595)

    Vulnerability from cvelistv5 – Published: 2018-07-27 18:00 – Updated: 2024-08-06 02:59
    VLAI
    Summary
    A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:0336 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Foreman katello-debug Affected: 3.4.0
    Create a notification for this product.
    Date Public
    2018-07-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:59:02.231Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello-debug",
              "vendor": "Foreman",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-377",
                  "description": "CWE-377",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-28T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-9595",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "katello-debug",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Foreman"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ],
                [
                  {
                    "vectorString": "6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C",
                    "version": "2.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-377"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:0336",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0336"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-9595",
        "datePublished": "2018-07-27T18:00:00.000Z",
        "dateReserved": "2016-11-23T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:59:02.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2143 (GCVE-0-2013-2143)

    Vulnerability from cvelistv5 – Published: 2014-04-17 14:00 – Updated: 2024-08-06 15:27
    VLAI
    Summary
    The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.exploit-db.com/exploits/32515 exploitx_refsource_EXPLOIT-DB
    http://packetstormsecurity.com/files/125866/Katel… x_refsource_MISC
    http://www.securityfocus.com/bid/66434 vdb-entryx_refsource_BID
    http://www.osvdb.org/104981 vdb-entryx_refsource_OSVDB
    Date Public
    2014-03-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:27:40.812Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "32515",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/32515"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.html"
              },
              {
                "name": "66434",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/66434"
              },
              {
                "name": "104981",
                "tags": [
                  "vdb-entry",
                  "x_refsource_OSVDB",
                  "x_transferred"
                ],
                "url": "http://www.osvdb.org/104981"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-03-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2014-04-17T12:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "32515",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/32515"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.html"
            },
            {
              "name": "66434",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/66434"
            },
            {
              "name": "104981",
              "tags": [
                "vdb-entry",
                "x_refsource_OSVDB"
              ],
              "url": "http://www.osvdb.org/104981"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-2143",
        "datePublished": "2014-04-17T14:00:00.000Z",
        "dateReserved": "2013-02-19T00:00:00.000Z",
        "dateUpdated": "2024-08-06T15:27:40.812Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2012-3503 (GCVE-0-2012-3503)

    Vulnerability from cvelistv5 – Published: 2012-08-25 10:00 – Updated: 2024-08-06 20:05
    VLAI
    Summary
    The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://secunia.com/advisories/50344 third-party-advisoryx_refsource_SECUNIA
    http://rhn.redhat.com/errata/RHSA-2012-1187.html vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/55140 vdb-entryx_refsource_BID
    https://github.com/Katello/katello/pull/499 x_refsource_CONFIRM
    https://github.com/Katello/katello/commit/7c256fe… x_refsource_CONFIRM
    http://rhn.redhat.com/errata/RHSA-2012-1186.html vendor-advisoryx_refsource_REDHAT
    Date Public
    2012-08-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T20:05:12.721Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "50344",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/50344"
              },
              {
                "name": "RHSA-2012:1187",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2012-1187.html"
              },
              {
                "name": "55140",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/55140"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/Katello/katello/pull/499"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3"
              },
              {
                "name": "RHSA-2012:1186",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2012-1186.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2012-08-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-03-22T09:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "50344",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/50344"
            },
            {
              "name": "RHSA-2012:1187",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2012-1187.html"
            },
            {
              "name": "55140",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/55140"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/Katello/katello/pull/499"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3"
            },
            {
              "name": "RHSA-2012:1186",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2012-1186.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2012-3503",
        "datePublished": "2012-08-25T10:00:00.000Z",
        "dateReserved": "2012-06-14T00:00:00.000Z",
        "dateUpdated": "2024-08-06T20:05:12.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }