CVE-2023-1832 — Improper Access Control in Candlepin

CWE-284 — Improper Access Control CWE-863 — Incorrect Authorization CWE-366 — Race Condition within a Thread8 documents7 sources

Severity

8.1HIGHNVD

CNA6.8

EPSS

0.1%

top 69.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Candlepinproject Candlepin Redhat Satellite

Timeline

PublishedOct 4

Latest updateDec 24

Description

An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDcandlepinproject/candlepin< 4.3.7-3

▶NVDredhat/satellite6.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

af_unix: Fix data-race around unix_tot_inflight.↗2025-12-24

▶

GHSA

GHSA-4pcg-gfm2-cvg4: An improper access control flaw was found in Candlepin↗2023-10-04

▶

CVEList

Improper authorization check in the server component↗2023-10-04

▶

💥Exploits & PoCs

Exploit-DB

MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)↗2023-04-03

▶

📋Vendor Advisories

Red Hat

candlepin: Improper authorization check in the server component↗2023-08-14

▶

🕵️Threat Intelligence

Wiz

CVE-2023-54006 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶