National Vulnerability Database

National Vulnerability Database

National Vulnerability

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:redhat:satellite:6.4
There are 9 matching records.
Vuln ID Summary CVSS Severity

It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates.

Published: April 15, 2019; 08:31:42 AM -04:00
V3.0: 7.8 HIGH
    V2: 2.1 LOW

An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions.

Published: January 22, 2019; 10:29:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM

Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality.

Published: July 26, 2018; 01:29:00 PM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.

Published: June 18, 2018; 10:29:00 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Published: April 26, 2018; 05:29:00 PM -04:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM

An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database.

Published: April 05, 2018; 05:29:01 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM

A flaw was found in foreman before 1.16.1. The issue allows users with limited permissions for powering oVirt/RHV hosts on and off to discover the username and password used to connect to the compute resource.

Published: April 04, 2018; 05:29:00 PM -04:00
V3.0: 8.8 HIGH
    V2: 4.0 MEDIUM

In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4

Published: February 09, 2018; 03:29:00 PM -05:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

Published: February 09, 2018; 03:29:00 PM -05:00
V3.0: 5.5 MEDIUM
    V2: 2.1 LOW