CVE-2019-3845 - Improper Access Control vulnerability in Redhat Satellite

Publication

2019-04-11

Last modification

2019-05-14

Summary

A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.

Classification

CWE-284 - Improper Access Control

Risk level (CVSS AV:A/AC:L/Au:S/C:P/I:P/A:P)

Medium

5.2

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Redhat Satellite  5.5 , 5.8 , 5.4.1 , 5.4 , 5.6 , 5.2 , 6.1 , 5.8.0 , 5.3 , 6.0 , 5.1.1 , 5.7