SUSE CVE-2015-0284

Cross-site scripting XSS vulnerability in spacewalk-java in Spacewalk and Red Hat Satellite 5.7 allows remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the XMLRPC API, involving user details. NOTE: this vulnerability exists because of an incomplete fix for...

SUSE CVE-2016-3080

Cross-site scripting XSS vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via the 1 RHNMD User or 2 Filesystem parameters, related to display of monitoring probes...

SUSE CVE-2016-3079

Multiple cross-site scripting XSS vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via 1 the PATHINFO to systems/SystemEntitlements.do; 2 the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a...

SUSE CVE-2016-3097

Cross-site scripting XSS vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via a group name, related to viewing snapshot data...

SUSE CVE-2017-7470

It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py...

SUSE CVE-2018-1077

Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server...

SUSE CVE-2019-10136

It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum...

SUSE CVE-2019-10137

A path traversal flaw was found in spacewalk-proxy, all versions through 2.9, in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitra...

SUSE CVE-2020-1693

A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute...

SUSE CVE-2021-40348

Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to the installation...

SUSE CVE-2022-21952

A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46...

SUSE CVE-2022-31248

A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java...

SUSE CVE-2022-31255

An Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to read files...

SUSE CVE-2022-43754

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to embed...

SUSE CVE-2022-43753

A Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to read files...

SUSE-SU-2023:0352-1 Security update for SUSE Manager Client Tools

This update fixes the following issues: grafana: - Update to version 8.5.15 jscPED-2617: CVE-2022-39306: Fix for privilege escalation bsc1205225 CVE-2022-39307: Omit error from http response when user does not exists bsc1205227 - Update to version 8.5.14: CVE-2022-39201: Fix do not forward login...

SUSE-SU-2022:4442-1 Security update for SUSE Manager Server 4.2

This update fixes the following issues: spacewalk-java: - Version 4.2.44-1 Do not disclose Proxy password in browser console log. bsc1205339 spacewalk-web: - Version 4.2.31-1 Do not log Proxy password in browser console log. bsc1205339 susemanager-sync-data: - Version 4.2.14-1 Add SUSE Linux...

PT-2022-37537 · Red Hat · Spacewalk-Java +1

Name of the Vulnerable Software and Affected Versions: spacewalk-java versions 4.2.44-1 and earlier spacewalk-web versions 4.2.31-1 and earlier Description: The issue concerns the disclosure of the Proxy password in the browser console log. This problem is resolved by updating the affected...

spacewalk-backend spacewalk-java security update

spacewalk-backend 2.10.28-1.0.13 - Fix HTTP 500 and ORA-01830 on client scap report Orabug: 34823889 2.10.28-1.0.12 - Handle remote commands that return no output. Orabug: 32530545 2.10.28-1.0.11 - Make spacewalk-debug copy symlink target instead of the symlink itself. Orabug: 32514543...

Oracle Linux 7 : spacewalk-backend / spacewalk-java (ELSA-2022-10024)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-10024 advisory. - Fix CVE-2022-43753 Orabug: 34814068 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus...