CVE-2021-4142

Published: Aug 24, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.

Affected (3)

Products: Candlepinproject: Candlepin

Candlepinproject

1 product

Candlepin

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Candlepinproject Candlepin	From 3.1.0 to 3.1.28-2
Candlepinproject Candlepin	From 3.2.0 to 3.2.21-1
Candlepinproject Candlepin	From 4.1.0 to 4.1.8-1

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (10)

https://access.redhat.com/security/cve/CVE-2021-4142

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2034346

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://github.com/candlepin/candlepin/pull/3197

Source: secalert@redhat.com

PatchThird Party Advisory

https://github.com/candlepin/candlepin/pull/3198

Source: secalert@redhat.com

Third Party Advisory

https://github.com/candlepin/candlepin/pull/3199

Source: secalert@redhat.com

PatchThird Party Advisory

https://access.redhat.com/security/cve/CVE-2021-4142