CVE-2021-4142

The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.

CVSS v3.0 5.5 MEDIUM

5.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/candlepin/candlepin/pull/3199	Patch Third Party Advisory
https://github.com/candlepin/candlepin/pull/3198	Third Party Advisory
https://github.com/candlepin/candlepin/pull/3197	Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2034346	Issue Tracking Vendor Advisory
https://access.redhat.com/security/cve/CVE-2021-4142	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin::::::::

Information

Published : 2022-08-24 09:15

Updated : 2023-02-12 15:43

NVD link : CVE-2021-4142

Mitre link : CVE-2021-4142

JSON object : View

CWE

CWE-287

Improper Authentication

CWE-639

Authorization Bypass Through User-Controlled Key

Products Affected

candlepinproject

candlepin

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/candlepin/candlepin/pull/3199", "name": "https://github.com/candlepin/candlepin/pull/3199", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/candlepin/candlepin/pull/3198", "name": "https://github.com/candlepin/candlepin/pull/3198", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/candlepin/candlepin/pull/3197", "name": "https://github.com/candlepin/candlepin/pull/3197", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346", "tags": ["Issue Tracking", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://access.redhat.com/security/cve/CVE-2021-4142", "name": "https://access.redhat.com/security/cve/CVE-2021-4142", "tags": ["Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-639"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-4142", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}}, "publishedDate": "2022-08-24T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.1.8-1", "versionStartIncluding": "4.1.0"}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.2.21-1", "versionStartIncluding": "3.2.0"}, {"cpe23Uri": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.1.28-2", "versionStartIncluding": "3.1.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-12T23:43Z"}

5.5 /10