Vulnerabilities > Redhat > Satellite
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-16 | CVE-2016-9593 | Credentials Management vulnerability in multiple products foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. | 8.8 |
| 2018-04-16 | CVE-2018-5382 | Improper Validation of Integrity Check Value vulnerability in multiple products The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. | 4.4 |
| 2018-04-05 | CVE-2018-1096 | SQL Injection vulnerability in multiple products An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. | 6.5 |
| 2018-04-04 | CVE-2018-1097 | A flaw was found in foreman before 1.16.1. | 8.8 |
| 2018-03-14 | CVE-2018-1077 | XXE vulnerability in Redhat Satellite and Spacewalk Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server. | 7.5 |
| 2018-03-12 | CVE-2017-2667 | Improper Certificate Validation vulnerability in multiple products Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. | 8.1 |
| 2018-02-27 | CVE-2017-15136 | Unspecified vulnerability in Redhat Satellite 6.0 When registering and activating a new system with Red Hat Satellite 6 if the new systems hostname is then reset to the hostname of a previously registered system the previously registered system will lose access to updates including security updates. | 2.7 |
| 2018-02-09 | CVE-2017-10690 | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. | 6.5 |
| 2018-02-09 | CVE-2017-10689 | Improper Privilege Management vulnerability in multiple products In previous versions of Puppet Agent it was possible to install a module with world writable permissions. | 5.5 |
| 2018-02-06 | CVE-2017-15095 | Deserialization of Untrusted Data vulnerability in multiple products A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | 9.8 |