CVE-2013-2143

Published: Apr 17, 2014Modified: May 6, 2026

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability: 8.0 / Impact: 6.4

Source: NVD

Description

The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

Affected (2)

Products: Redhat: Network Satellite · Theforeman: Katello

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Network Satellite	All versions
Theforeman Katello	Up to 1.5.0-14

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (8)

http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.html

Source: secalert@redhat.com

Exploit

http://www.exploit-db.com/exploits/32515

Source: secalert@redhat.com

Exploit

http://www.osvdb.org/104981

Source: secalert@redhat.com

http://www.securityfocus.com/bid/66434

Source: secalert@redhat.com

Exploit

http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.html

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.exploit-db.com/exploits/32515

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.osvdb.org/104981

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/66434

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.