CVE-2019-3845

Summary

A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.

Affected Software

VendorProductVersion RangeStatus
Red Hatqpid-dispatch-routerfixed in Satellite >= 6.2affected
Red Hatqpid-dispatch-routerfixed in Satellite 6.1 - Optionalaffected
Red Hatqpid-dispatch-routerfixed in Satellite Capsule 6.1affected

Weaknesses

  • CWE-284: CWE-284

ADP Enrichment

CVE Program Container

Additional References

References