Redhat Satellite vulnerabilities
222 known vulnerabilities affecting redhat/satellite.
Total CVEs
222
CISA KEV
4
actively exploited
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL30HIGH56MEDIUM109LOW27
Vulnerabilities
Page 5 of 12
CVE-2018-3180MEDIUMCVSS 5.6v5.6v5.7+1 more2018-10-17
CVE-2018-3180 [MEDIUM] CVE-2018-3180: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: J
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Emb
nvd
CVE-2018-3214MEDIUMCVSS 5.3v5.6v5.7+1 more2018-10-17
CVE-2018-3214 [MEDIUM] CVE-2018-3214: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: S
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java
nvd
CVE-2018-3139LOWCVSS 3.1v5.6v5.7+1 more2018-10-17
CVE-2018-3139 [LOW] CVE-2018-3139: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Success
nvd
CVE-2018-3136LOWCVSS 3.4v5.6v5.7+1 more2018-10-17
CVE-2018-3136 [LOW] CVE-2018-3136: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successfu
nvd
CVE-2017-7513MEDIUMCVSS 5.4v5.0v5.1.1+8 more2018-08-22
CVE-2017-7513 [MEDIUM] CWE-295 CVE-2017-7513: It was found that Satellite 5 configured with SSL/TLS for the PostgreSQL backend failed to correctly
It was found that Satellite 5 configured with SSL/TLS for the PostgreSQL backend failed to correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a PostgreSQL server using a specially crafted X.509 certificate.
nvd
CVE-2018-1517HIGHCVSS 7.5v5.6v5.7+1 more2018-08-20
CVE-2018-1517 [HIGH] CWE-20 CVE-2018-1517: A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an
A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an attacker to inflict a denial-of-service attack with specially crafted String data. IBM X-Force ID: 141681.
nvd
CVE-2018-1000632HIGHCVSS 7.5v6.62018-08-20
CVE-2018-1000632 [HIGH] CWE-91 CVE-2018-1000632: dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Elemen
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability app
nvd
CVE-2018-1656MEDIUMCVSS 6.5v5.6v5.7+1 more2018-08-20
CVE-2018-1656 [MEDIUM] CWE-22 CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Techn
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882.
nvd
CVE-2018-10931CRITICALCVSS 9.8v5.6v5.7+1 more2018-08-09
CVE-2018-10931 [CRITICAL] CWE-749 CVE-2018-10931: It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XML
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
nvd
CVE-2016-8639MEDIUMCVSS 5.4v6.32018-08-01
CVE-2016-8639 [MEDIUM] CWE-79 CVE-2016-8639: It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or locatio
It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
nvd
CVE-2017-7514MEDIUMCVSS 5.4fixed in 5.8.02018-07-30
CVE-2017-7514 [MEDIUM] CWE-79 CVE-2017-7514: A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat S
A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users.
nvd
CVE-2017-7470CRITICALCVSS 9.8v5.6v5.72018-07-27
CVE-2017-7470 [CRITICAL] CWE-863 CVE-2017-7470: It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform adm
It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py.
nvd
CVE-2016-9595MEDIUMCVSS 5.5v6.32018-07-27
CVE-2016-9595 [MEDIUM] CWE-377 CVE-2016-9595: A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure tem
A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
nvd
CVE-2017-7538MEDIUMCVSS 5.4fixed in 5.82018-07-26
CVE-2017-7538 [MEDIUM] CWE-79 CVE-2017-7538: A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5,
A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users.
nvd
CVE-2017-12175MEDIUMCVSS 5.4fixed in 6.52018-07-26
CVE-2017-12175 [MEDIUM] CWE-79 CVE-2017-12175: Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter a
Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality.
nvd
CVE-2018-2973MEDIUMCVSS 5.9v5.6v5.7+1 more2018-07-18
CVE-2018-2973 [MEDIUM] CVE-2018-2973: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Sup
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attack
nvd
CVE-2018-2940MEDIUMCVSS 4.3v5.6v5.7+1 more2018-07-18
CVE-2018-2940 [MEDIUM] CVE-2018-2940: Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Suc
nvd
CVE-2018-2952LOWCVSS 3.7v5.6v5.7+1 more2018-07-18
CVE-2018-2952 [LOW] CVE-2018-2952: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: C
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise J
nvd
CVE-2017-2672HIGHCVSS 8.8v6.32018-06-21
CVE-2017-2672 [HIGH] CWE-312 CVE-2017-2672: A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An
A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.
nvd
CVE-2018-1090HIGHCVSS 7.5v6.42018-06-18
CVE-2018-1090 [HIGH] CWE-200 CVE-2018-1090: In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and th
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
nvd