The Foreman Project Katello vulnerabilities

CVE-2018-14623 [HIGH] CWE-89 CVE-2018-14623: A SQL injection flaw was found in katello's errata-related API A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable.

CVE-2016-3072 [HIGH] CWE-89 CVE-2016-3072: Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/ Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the (1) sort_by or (2) sort_order parameter.