Lucene search

Veracode Vulnerability DatabaseVERACODE:18961

HistoryMay 16, 2019 - 2:19 a.m.

Authentication Bypass

2019-05-1602:19:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Red Hat Satellite is vulnerable to authentication bypass attacks. This is because the Pulp’s pulp-qpid-ssl-cfg script uses bash’s $RANDOM in unsafe ways to generate a NSS DB password. An attacker could potentially guess the seed used given enough time and compute resources.

CPENameOperatorVersion
tfm-rubygem-foreman_discoveryeq5.0.0.9__1.el7sat
tfm-rubygem-foreman_discoveryeq5.0.0.8__1.el7sat
tfm-rubygem-hammer_cli_foreman_taskseq0.0.10.3__1.el7sat
tfm-rubygem-bastioneq3.2.0.14__1.el7sat
tfm-rubygem-bastioneq3.2.0.9__1.el7sat
tfm-rubygem-bastioneq3.2.0.10__1.el7sat
pulp-dockereq2.0.3__1.el7sat
pulp-dockereq2.0.3.1__1.el7sat
pulp-dockereq2.0.1.1__1.el7sat
pulp-dockereq2.0.1__1.el7ui

Name	Operator	Version
tfm-rubygem-foreman_discovery	eq	5.0.0.9__1.el7sat
tfm-rubygem-foreman_discovery	eq	5.0.0.8__1.el7sat
tfm-rubygem-hammer_cli_foreman_tasks	eq	0.0.10.3__1.el7sat
tfm-rubygem-bastion	eq	3.2.0.14__1.el7sat
tfm-rubygem-bastion	eq	3.2.0.9__1.el7sat
tfm-rubygem-bastion	eq	3.2.0.10__1.el7sat
pulp-docker	eq	2.0.3__1.el7sat
pulp-docker	eq	2.0.3.1__1.el7sat
pulp-docker	eq	2.0.1.1__1.el7sat
pulp-docker	eq	2.0.1__1.el7ui

Rows per page:

1-10 of 6841

References

access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html/release_notes/

access.redhat.com/errata/RHSA-2018:0336

access.redhat.com/security/cve/CVE-2016-3704

access.redhat.com/security/cve/CVE-2017-15699

access.redhat.com/security/cve/CVE-2017-2295

access.redhat.com/security/updates/classification/#important

bugzilla.redhat.com/show_bug.cgi?id=1019214

bugzilla.redhat.com/show_bug.cgi?id=1132402

bugzilla.redhat.com/show_bug.cgi?id=1133515

bugzilla.redhat.com/show_bug.cgi?id=1140671

bugzilla.redhat.com/show_bug.cgi?id=1144042

bugzilla.redhat.com/show_bug.cgi?id=1145653

bugzilla.redhat.com/show_bug.cgi?id=1154382

bugzilla.redhat.com/show_bug.cgi?id=1177766

bugzilla.redhat.com/show_bug.cgi?id=1187338

bugzilla.redhat.com/show_bug.cgi?id=1190002

bugzilla.redhat.com/show_bug.cgi?id=1199204

bugzilla.redhat.com/show_bug.cgi?id=1210878

bugzilla.redhat.com/show_bug.cgi?id=1215825

bugzilla.redhat.com/show_bug.cgi?id=1217523

bugzilla.redhat.com/show_bug.cgi?id=1245642

bugzilla.redhat.com/show_bug.cgi?id=1255484

bugzilla.redhat.com/show_bug.cgi?id=1257588

bugzilla.redhat.com/show_bug.cgi?id=1260697

bugzilla.redhat.com/show_bug.cgi?id=1263748

bugzilla.redhat.com/show_bug.cgi?id=1264043

bugzilla.redhat.com/show_bug.cgi?id=1264732

bugzilla.redhat.com/show_bug.cgi?id=1265125

bugzilla.redhat.com/show_bug.cgi?id=1270771

bugzilla.redhat.com/show_bug.cgi?id=1274159

bugzilla.redhat.com/show_bug.cgi?id=1278642

bugzilla.redhat.com/show_bug.cgi?id=1278644

bugzilla.redhat.com/show_bug.cgi?id=1284686

bugzilla.redhat.com/show_bug.cgi?id=1291935

bugzilla.redhat.com/show_bug.cgi?id=1292510

bugzilla.redhat.com/show_bug.cgi?id=1293538

bugzilla.redhat.com/show_bug.cgi?id=1303103

bugzilla.redhat.com/show_bug.cgi?id=1304608

bugzilla.redhat.com/show_bug.cgi?id=1305059

bugzilla.redhat.com/show_bug.cgi?id=1306723

bugzilla.redhat.com/show_bug.cgi?id=1309569

bugzilla.redhat.com/show_bug.cgi?id=1309944

bugzilla.redhat.com/show_bug.cgi?id=1313634

bugzilla.redhat.com/show_bug.cgi?id=1317614

bugzilla.redhat.com/show_bug.cgi?id=1318534

bugzilla.redhat.com/show_bug.cgi?id=1323436

bugzilla.redhat.com/show_bug.cgi?id=1324508

bugzilla.redhat.com/show_bug.cgi?id=1327030

bugzilla.redhat.com/show_bug.cgi?id=1328238

bugzilla.redhat.com/show_bug.cgi?id=1330264

bugzilla.redhat.com/show_bug.cgi?id=1336924

bugzilla.redhat.com/show_bug.cgi?id=1339715

bugzilla.redhat.com/show_bug.cgi?id=1340559

bugzilla.redhat.com/show_bug.cgi?id=1342623

bugzilla.redhat.com/show_bug.cgi?id=1344049

bugzilla.redhat.com/show_bug.cgi?id=1361473

bugzilla.redhat.com/show_bug.cgi?id=1366029

bugzilla.redhat.com/show_bug.cgi?id=1370168

bugzilla.redhat.com/show_bug.cgi?id=1376134

bugzilla.redhat.com/show_bug.cgi?id=1376191

bugzilla.redhat.com/show_bug.cgi?id=1382356

bugzilla.redhat.com/show_bug.cgi?id=1382735

bugzilla.redhat.com/show_bug.cgi?id=1384146

bugzilla.redhat.com/show_bug.cgi?id=1384548

bugzilla.redhat.com/show_bug.cgi?id=1386266

bugzilla.redhat.com/show_bug.cgi?id=1386278

bugzilla.redhat.com/show_bug.cgi?id=1390545

bugzilla.redhat.com/show_bug.cgi?id=1391831

bugzilla.redhat.com/show_bug.cgi?id=1393409

bugzilla.redhat.com/show_bug.cgi?id=1394056

bugzilla.redhat.com/show_bug.cgi?id=1402922

bugzilla.redhat.com/show_bug.cgi?id=1410872

bugzilla.redhat.com/show_bug.cgi?id=1412186

bugzilla.redhat.com/show_bug.cgi?id=1413851

bugzilla.redhat.com/show_bug.cgi?id=1416119

bugzilla.redhat.com/show_bug.cgi?id=1417073

bugzilla.redhat.com/show_bug.cgi?id=1420711

bugzilla.redhat.com/show_bug.cgi?id=1422458

bugzilla.redhat.com/show_bug.cgi?id=1425121

bugzilla.redhat.com/show_bug.cgi?id=1425523

bugzilla.redhat.com/show_bug.cgi?id=1426404

bugzilla.redhat.com/show_bug.cgi?id=1426411

bugzilla.redhat.com/show_bug.cgi?id=1426448

bugzilla.redhat.com/show_bug.cgi?id=1428761

bugzilla.redhat.com/show_bug.cgi?id=1429426

bugzilla.redhat.com/show_bug.cgi?id=1434069

bugzilla.redhat.com/show_bug.cgi?id=1435972

bugzilla.redhat.com/show_bug.cgi?id=1438376

bugzilla.redhat.com/show_bug.cgi?id=1439850

bugzilla.redhat.com/show_bug.cgi?id=1445807

bugzilla.redhat.com/show_bug.cgi?id=1446707

bugzilla.redhat.com/show_bug.cgi?id=1446719

bugzilla.redhat.com/show_bug.cgi?id=1452124

bugzilla.redhat.com/show_bug.cgi?id=1455057

bugzilla.redhat.com/show_bug.cgi?id=1455455

bugzilla.redhat.com/show_bug.cgi?id=1458817

bugzilla.redhat.com/show_bug.cgi?id=1464224

bugzilla.redhat.com/show_bug.cgi?id=1468248

bugzilla.redhat.com/show_bug.cgi?id=1480346

bugzilla.redhat.com/show_bug.cgi?id=1480348

bugzilla.redhat.com/show_bug.cgi?id=1493001

bugzilla.redhat.com/show_bug.cgi?id=1493494

bugzilla.redhat.com/show_bug.cgi?id=1517827

bugzilla.redhat.com/show_bug.cgi?id=1529099

docs.pulpproject.org/user-guide/release-notes/2.8.x.html#pulp-2-8-5

github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L25

github.com/pulp/pulp/blob/pulp-2.8.2-1/server/bin/pulp-qpid-ssl-cfg#L97-L105

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YM2LCC7QBRCK4LTN5EZT5OHTVAR3MYTY/

lists.fedoraproject.org/archives/list/[email protected]/message/YM2LCC7QBRCK4LTN5EZT5OHTVAR3MYTY/

pulp.plan.io/issues/1858

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Related for VERACODE:18961