CVE-2023-1832 – Improper authorization check in the server component
https://notcve.org/view.php?id=CVE-2023-1832
An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant. Se encontró una falla de control de acceso inadecuado en Candlepin. Un atacante puede crear datos pertenecientes a otro customer/tenant, lo que puede provocar una pérdida de confidencialidad y disponibilidad para el customer/tenant afectado. • https://access.redhat.com/security/cve/CVE-2023-1832 https://bugzilla.redhat.com/show_bug.cgi?id=2184364 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVE-2021-4142 – Satellite: Allow unintended SCA certificate to authenticate Candlepin
https://notcve.org/view.php?id=CVE-2021-4142
The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin. El componente Candlepin de Red Hat Satellite estaba afectado por un fallo de autenticación inapropiado. Algunos factores podían permitir a un atacante usar el certificado SCA (Simple Content Access) para la autenticación con Candlepin. • https://access.redhat.com/security/cve/CVE-2021-4142 https://bugzilla.redhat.com/show_bug.cgi?id=2034346 https://github.com/candlepin/candlepin/pull/3197 https://github.com/candlepin/candlepin/pull/3198 https://github.com/candlepin/candlepin/pull/3199 • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2015-5187
https://notcve.org/view.php?id=CVE-2015-5187
Candlepin allows remote attackers to obtain sensitive information by obtaining Java exception statements as a result of excessive web traffic. Candlepin permite a los atacantes remotos obtener información confidencial mediante la obtención de declaraciones de excepción Java como resultado de un tráfico web excesivo. • https://bugzilla.redhat.com/show_bug.cgi?id=1252147 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-399: Resource Management Errors •
CVE-2012-6119 – Candlepin: Re-enable manifest signature checking
https://notcve.org/view.php?id=CVE-2012-6119
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests. Candlepin antes de v0.7.24, tal como se utiliza en el Administrador de Activos de Red Hat Suscripción antes de v1.2.1, no comprueba correctamente firmas de los manifest, que permite a usuarios locales modificarlos. • http://rhn.redhat.com/errata/RHSA-2013-0686.html http://secunia.com/advisories/52774 http://www.osvdb.org/91719 https://bugzilla.redhat.com/show_bug.cgi?id=908613 https://github.com/candlepin/candlepin/blob/master/candlepin.spec https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c https://access.redhat.com/security/cve/CVE-2012-6119 • CWE-264: Permissions, Privileges, and Access Controls •