CVE-2019-3845

CVE-2019-3845

Name

CVE-2019-3845

Description

A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3845
Third Party Advisory	https://access.redhat.com/errata/RHSA-2019:1223

Type

URI

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3845

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1223

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:redhat:satellite::::::::`	satellite	>= None	< 6.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:redhat:satellite:*:*:*:*:*:*:*:*

satellite

>= None

< 6.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
satellite	edge-community	1.0.0-r38	Pedro Lucas Porcellis <porcellis@eletrotupi.com>	possibly vulnerable
satellite	edge-community	1.0.0-r37	Pedro Lucas Porcellis <porcellis@eletrotupi.com>	possibly vulnerable
satellite	edge-community	1.0.0-r36	Pedro Lucas Porcellis <porcellis@eletrotupi.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

satellite

edge-community

1.0.0-r38

Pedro Lucas Porcellis <porcellis@eletrotupi.com>

possibly vulnerable

satellite

edge-community