proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authenticated users to read consumer certificates or change arbitrary users settings via unspecified vectors related to the consumer UUID of a system.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cloudforms | Redhat | * | 1.0 (including) |
| CloudForms for RHEL 6 | RedHat | candlepin-0:0.7.8.1-1.el6cf | * |
| CloudForms for RHEL 6 | RedHat | gofer-0:0.66.1-2.el6cf | * |
| CloudForms for RHEL 6 | RedHat | grinder-0:0.0.150-1.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-0:1.1.12-22.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-agent-0:1.1.2-1.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-certs-tools-0:1.1.8-1.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-cli-0:1.1.8-12.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-cli-tests-0:1.1.5-2.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-configure-0:1.1.9-12.el6cf | * |
| CloudForms for RHEL 6 | RedHat | katello-selinux-0:1.1.1-2.el6cf | * |
| CloudForms for RHEL 6 | RedHat | pulp-0:1.1.14-1.el6cf | * |
| CloudForms for RHEL 6 | RedHat | quartz-0:2.1.5-4.el6cf | * |
| CloudForms for RHEL 6 | RedHat | rubygem-apipie-rails-0:0.0.11-3.el6cf | * |
| CloudForms Tools for RHEL 5 | RedHat | gofer-0:0.66.1-2.el5 | * |
| CloudForms Tools for RHEL 5 | RedHat | katello-agent-0:1.1.2-1.el5 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | apache-commons-codec-0:1.7-2.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | apache-mime4j-0:0.6-4_redhat_1.ep6.el6.1 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | candlepin-0:0.7.23-1.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | elasticsearch-0:0.19.9-5.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-0:1.2.1-15h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-certs-tools-0:1.2.1-1h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-cli-0:1.2.1-12h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-configure-0:1.2.3-3h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-selinux-0:1.2.1-2h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | lucene3-0:3.6.1-10h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | puppet-0:2.6.17-2.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | quartz-0:2.1.5-4.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-activesupport-1:3.0.10-10.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-apipie-rails-0:0.0.12-2.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-ldap_fluff-0:0.1.3-1.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-mail-0:2.3.0-3.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-rack-1:1.3.0-3.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-ruby_parser-0:2.0.4-6.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | sigar-0:1.6.5-0.12.git58097d9h.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | snappy-java-0:1.0.4-2.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | thumbslug-0:0.0.28-1.el6_3 | * |
References
- http://osvdb.org/88140
- http://osvdb.org/88142
- http://rhn.redhat.com/errata/RHSA-2012-1543.html
- http://rhn.redhat.com/errata/RHSA-2013-0544.html
- http://secunia.com/advisories/51472
- http://www.securityfocus.com/bid/56819
- https://bugzilla.redhat.com/show_bug.cgi?id=882129
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80549
- http://osvdb.org/88140
- http://osvdb.org/88142
- http://rhn.redhat.com/errata/RHSA-2012-1543.html
- http://rhn.redhat.com/errata/RHSA-2013-0544.html
- http://secunia.com/advisories/51472
- http://www.securityfocus.com/bid/56819
- https://bugzilla.redhat.com/show_bug.cgi?id=882129
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80549