CVE-2021-4142
Satellite: Allow unintended SCA certificate to authenticate Candlepin
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.
El componente Candlepin de Red Hat Satellite estaba afectado por un fallo de autenticación inapropiado. Algunos factores podían permitir a un atacante usar el certificado SCA (Simple Content Access) para la autenticación con Candlepin.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-12-20 CVE Reserved
- 2022-03-09 CVE Published
- 2023-11-29 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/candlepin/candlepin/pull/3198 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/candlepin/candlepin/pull/3197 | 2023-11-07 | |
| https://github.com/candlepin/candlepin/pull/3199 | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-4142 | 2022-07-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2034346 | 2022-07-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Candlepinproject Search vendor "Candlepinproject" | Candlepin Search vendor "Candlepinproject" for product "Candlepin" | >= 3.1.0 <= 3.1.28-2 Search vendor "Candlepinproject" for product "Candlepin" and version " >= 3.1.0 <= 3.1.28-2" | - |
Affected
| ||||||
| Candlepinproject Search vendor "Candlepinproject" | Candlepin Search vendor "Candlepinproject" for product "Candlepin" | >= 3.2.0 <= 3.2.21-1 Search vendor "Candlepinproject" for product "Candlepin" and version " >= 3.2.0 <= 3.2.21-1" | - |
Affected
| ||||||
| Candlepinproject Search vendor "Candlepinproject" | Candlepin Search vendor "Candlepinproject" for product "Candlepin" | >= 4.1.0 <= 4.1.8-1 Search vendor "Candlepinproject" for product "Candlepin" and version " >= 4.1.0 <= 4.1.8-1" | - |
Affected
| ||||||