cbcvebase.
CVE-2013-2143
published 2014-04-17

CVE-2013-2143: The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote…

PriorityP356medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
48.22%
98.7th percentile
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

Affected

1 ranges
VendorProductVersion rangeFixed in
theforemankatello<= 1.5.0-14

Detection & IOCsextracted from sources · hover to see the quote

url/users/{id}/update_roles
url/user_session/new
url/dashboard
cookie_katello_session
path/app/controllers/users_controller.rb
commandPUT /users/{id}/update_roles with user[role_ids][]=1
  • Detect unauthenticated or low-privilege PUT requests to the update_roles endpoint; any PUT to /users/<id>/update_roles from a non-admin session is anomalous and indicative of privilege escalation exploitation.
  • Monitor for HTTP PUT requests containing the POST body parameter 'user[role_ids][]=1', which sets the target account to administrator (role ID 1).
  • Look for the X-CSRF-Token header being supplied alongside a _katello_session cookie in PUT requests to /users/*/update_roles — this is the exact pattern used by the Metasploit exploit module.
  • Alert on successful HTTP responses (X-Message-Type: success) to PUT /users/*/update_roles from non-administrative accounts, indicating a successful privilege escalation.
  • Inspect Katello/Satellite application logs for calls to the update_roles action in users_controller.rb originating from non-admin users.
  • ·The vulnerability only affects Katello 1.5.0-14 and earlier; Red Hat Satellite 6 (katello package) is listed as Not Affected, so detection efforts should be scoped to legacy Satellite/Subscription Asset Manager deployments.
  • ·The Metasploit module defaults to SSL on port 443; detections based on port alone may miss deployments running on non-standard ports.
  • ·The exploit requires valid credentials for any existing user account (remote authenticated users); purely unauthenticated traffic detection will not catch this attack.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.