cbcvebase.
CVE-2019-10137
published 2019-07-02

CVE-2019-10137: A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens. A remote, unauthenticated…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.12%
86.2th percentile
A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitrary code in the context of the httpd process.

Affected

3 ranges
VendorProductVersion rangeFixed in
redhatsatellite
redhatspacewalk<= 2.9
spacewalkprojectspacewalk-proxy

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor HTTP requests to spacewalk-proxy for the 'X-RHN-Server-ID' header containing path traversal sequences (e.g., '../'), as untrusted user input in this header is used directly as part of a filesystem path
  • Trace the call chain for exploitation: __checkAuthSessionTokenCache -> update_client_token_if_valid -> set_client_token -> AuthLocalBackend.__setitem__ (_compute_key) -> _fname -> cleanupPath — any anomalous path resolution through this chain indicates active exploitation
  • Exploitation is possible without authentication; alert on unauthenticated requests to the proxy that trigger file read/write/truncate/delete operations or directory creation outside the token cache directory
  • Differentiate file-existence probing from normal traffic: the error response from the proxy differs depending on whether the traversed token file exists or not, which can be used as an oracle by attackers
  • Watch for deserialization activity on the proxy server in the httpd process context following suspicious file writes; if an attacker can place a crafted file at an arbitrary location, code execution occurs during unserialization of the token file
  • ·The path traversal vulnerability is only exploitable when CFG.USE_LOCAL_AUTH is set to true in the spacewalk-proxy configuration
  • ·SELinux in enforcing mode mitigates the vulnerability by preventing the proxy from accessing files with an incompatible SELinux context
  • ·While the attacker can force the proxy to read files outside the token directory, file contents are not revealed unless the file is specially crafted; arbitrary data writes outside the token directory are also not possible via this flaw alone

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.