CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0241
https://notcve.org/view.php?id=CVE-2014-0241
13 Dec 2019 — rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable rubygem-hammer_cli_foreman: El archivo /etc/hammer/cli.modules.d/foreman.yml es de tipo world readable. • https://access.redhat.com/security/cve/cve-2014-0241 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2013-2101
https://notcve.org/view.php?id=CVE-2013-2101
03 Dec 2019 — Katello has multiple XSS issues in various entities Katello presenta múltiples problemas de tipo XSS en varias entidades. • https://access.redhat.com/security/cve/cve-2013-2101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 2%CPEs: 11EXPL: 1CVE-2013-6461
https://notcve.org/view.php?id=CVE-2013-6461
05 Nov 2019 — Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits La gema Nokogiri versiones 1.5.x y 1.6.x, tienebn una DoS durante el análisis de entidades XML al fallar para aplicar límites. • http://www.openwall.com/lists/oss-security/2013/12/27/2 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 6.5EPSS: 2%CPEs: 11EXPL: 1CVE-2013-6460
https://notcve.org/view.php?id=CVE-2013-6460
05 Nov 2019 — Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents La gema Nokogiri versiones 1.5.x, tiene una Denegación de Servicio por medio de un bucle infinito cuando se analizan documentos XML. • http://www.openwall.com/lists/oss-security/2013/12/27/2 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.4EPSS: 0%CPEs: 33EXPL: 0CVE-2019-0223 – qpid-proton: TLS Man in the Middle Vulnerability
https://notcve.org/view.php?id=CVE-2019-0223
23 Apr 2019 — While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. Mientras investigábamos el error PROTON-2014, descubrimos que en algunas circ... • http://www.openwall.com/lists/oss-security/2019/04/23/4 • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-3891 – candlepin: credentials exposure through log files
https://notcve.org/view.php?id=CVE-2019-3891
12 Apr 2019 — It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates. Se descubrió que un archivo de registro de lectura para todos los usuarios, perteneciente al componente Candlepin de Red Hat Satelli... • https://access.redhat.com/errata/RHSA-2019:1222 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3893 – foreman: Recover of plaintext password or token for the compute resources
https://notcve.org/view.php?id=CVE-2019-3893
09 Apr 2019 — In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable. En Foreman se descubrió que la operación de eliminar recursos de cálculo, cuando se ejecuta desde la API de Forema... • http://www.openwall.com/lists/oss-security/2019/04/14/2 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3845 – katello-installer-base: QMF methods exposed to goferd via qdrouterd
https://notcve.org/view.php?id=CVE-2019-3845
09 Apr 2019 — A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands. Se encontró una falta de control de acceso en las colas de mensajes mantenidas por el broker QPID de S... • https://access.redhat.com/errata/RHSA-2019:1223 • CWE-284: Improper Access Control •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-14666
https://notcve.org/view.php?id=CVE-2018-14666
22 Jan 2019 — An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions. Se ha encontrado un fallo de autorización incorrecta en la funcionalidad Smart Class en Foreman. Un atacante puede usarlo para cambiar la configuración de cualquier host que se encuentra registrado en Red Hat Satellite, independienteme... • http://www.securityfocus.com/bid/106490 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2018-16887 – katello: stored XSS in subscriptions and repositories pages
https://notcve.org/view.php?id=CVE-2018-16887
13 Jan 2019 — A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before 3.9.0 are vulnerable. Se ha encontrado un error de Cross-Site Scripting (XSS) en el componente "katello" de Sa... • https://access.redhat.com/errata/RHSA-2019:1222 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •