Product:

Satellite

(Redhat)
Date Id Summary Products Score Patch Annotated
2017-07-17 CVE-2016-4996 discovery-debug in Foreman before 6.2 when the ssh service has been enabled on discovered nodes displays the root password in plaintext in the system journal when used to log in, which allows local users with access to the system journal to obtain the root password by reading the system journal, or by clicking Logs on the console. Satellite 7.0
2018-04-04 CVE-2018-1097 A flaw was found in foreman before 1.16.1. The issue allows users with limited permissions for powering oVirt/RHV hosts on and off to discover the username and password used to connect to the compute resource. Satellite, Foreman 8.8
2018-07-26 CVE-2017-12175 Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality. Satellite 5.4
2018-07-27 CVE-2017-7470 It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py. Satellite, Spacewalk 9.8
2018-07-30 CVE-2017-7514 A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users. Satellite 5.4
2018-08-09 CVE-2018-10931 It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. Cobbler, Satellite 9.8
2019-07-02 CVE-2019-10136 It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. Satellite, Spacewalk 4.3
2019-07-02 CVE-2019-10137 A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitrary code in the context of the httpd process. Satellite, Spacewalk 9.8
2019-12-03 CVE-2013-2101 Katello has multiple XSS issues in various entities Satellite, Katello 5.4
2019-04-09 CVE-2019-3893 In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable. Satellite, Foreman 4.9