CVE-2021-4142

The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.

CVSS v3.0 5.5 MEDIUM

5.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/candlepin/candlepin/pull/3199	Patch Third Party Advisory
https://github.com/candlepin/candlepin/pull/3198	Third Party Advisory
https://github.com/candlepin/candlepin/pull/3197	Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2034346	Issue Tracking Vendor Advisory
https://access.redhat.com/security/cve/CVE-2021-4142	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin::::::::

History

07 Nov 2023, 03:40

Type	Values Removed	Values Added
CWE	~~CWE-287~~

Information

Published : 2022-08-24 16:15

Updated : 2023-11-07 03:40

NVD link : CVE-2021-4142

Mitre link : CVE-2021-4142

JSON object : View

Products Affected

candlepinproject

candlepin

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/candlepin/candlepin/pull/3199", "name": "https://github.com/candlepin/candlepin/pull/3199", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/candlepin/candlepin/pull/3198", "name": "https://github.com/candlepin/candlepin/pull/3198", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/candlepin/candlepin/pull/3197", "name": "https://github.com/candlepin/candlepin/pull/3197", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346", "tags": ["Issue Tracking", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://access.redhat.com/security/cve/CVE-2021-4142", "name": "https://access.redhat.com/security/cve/CVE-2021-4142", "tags": ["Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-639"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-4142", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}}, "publishedDate": "2022-08-24T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.1.8-1", "versionStartIncluding": "4.1.0"}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.2.21-1", "versionStartIncluding": "3.2.0"}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.1.28-2", "versionStartIncluding": "3.1.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-11-07T03:40Z"}