Red Hat Spacewalk 2.6

CPE Details

Red Hat Spacewalk 2.6
redhat
spacewalk
2.6
2018-11-01
16h32 +00:00
2018-11-01
16h32 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:redhat:spacewalk:2.6:*:*:*:*:*:*:*

Informations

Vendor

redhat

Product

spacewalk

Version

2.6

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2020-1693 2020-02-17 18h35 +00:00 A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server.
9.8
Critique
CVE-2019-10136 2019-07-02 17h29 +00:00 It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum.
4.3
Moyen
CVE-2019-10137 2019-07-02 17h28 +00:00 A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitrary code in the context of the httpd process.
9.8
Critique
CVE-2018-1077 2018-03-14 18h00 +00:00 Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server.
7.5
Haute
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.