Red Hat Satellite

REXML ReDoS via Hex Char Ref Parsing
CVE-2025-10990 7.5 - High - February 27, 2026

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.

ReDoS

RCE via Malicious Username in RubyIPMI (Red Hat Satellite BMC)
CVE-2026-0980 8.3 - High - February 27, 2026

A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system.

Shell injection

Authorization Bypass in Foreman GraphQL API (CVE-2025-9572)
CVE-2025-9572 5 - Medium - February 27, 2026

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.

Information Disclosure

MITM via Disabled Cert Validation in fog-kubevirt
CVE-2026-1530 8.1 - High - February 02, 2026

A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise.

Improper Certificate Validation

Red Hat Foreman_kubevirt SSL Verification Flaw (MITM Risk)
CVE-2026-1531 8.1 - High - February 02, 2026

A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information.

Improper Certificate Validation

Hibernate Second-Order SQLi via InlineIdsOrClauseBuilder
CVE-2026-0603 8.3 - High - January 23, 2026

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

SQL Injection

Rubygem MQTT Hostname Validation Missing Allows MITM
CVE-2025-12790 7.4 - High - November 06, 2025

A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle (MITM) attack.

Path Traversal: '\..\filename'

Red Hat Satellite Foreman Untrusted Exec via Misconfigured Cmd Whitelist
CVE-2025-10622 8 - High - November 05, 2025

A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying operating system via insufficient server-side validation of command whitelisting.

Shell injection

Yggdrasil local PrivEsc via unauth DBus dispatch to package manager worker
CVE-2025-3931 7.8 - High - May 14, 2025

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.

Improper Handling of Insufficient Permissions or Privileges

crossbeam-channel: Drop race may lead to double-free (CVE-2025-4574)
CVE-2025-4574 6.5 - Medium - May 13, 2025

In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

Double-free

Ring crate panic via QUIC protocol overflow (CVE-2025-4432)
CVE-2025-4432 5.3 - Medium - May 09, 2025

A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.

Allocation of Resources Without Limits or Throttling

Foreman: /var/tmp Permission Flaw Enables Info Disclosure & Priv Escalation
CVE-2025-2157 3.3 - Low - March 15, 2025

A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively.

Insecure Storage of Sensitive Information

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

Foreman GraphQL API Sensitive Data Exposure
CVE-2024-6861 7.5 - High - November 06, 2024

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.

Information Disclosure

CVE-2024-8553: Authenticated Macro RCE in Foreman Templates
CVE-2024-8553 6.3 - Medium - October 31, 2024

A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information.

Information Disclosure

Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355 6.5 - Medium - October 01, 2024

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

Use of Uninitialized Variable

Auth Bypass in Foreman Satellite 6.13-6.15 via mod_proxy header issue
CVE-2024-7012 9.8 - Critical - September 04, 2024

An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access.

authentification

Auth Bypass in Pulpcore v3.0+ via Gunicorn <=22.0 + mod_proxy
CVE-2024-7923 - September 04, 2024

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.

authentification

Command Injection in Foreman Host Init Config Template (CVE-2024-7700)
CVE-2024-7700 6.5 - Medium - August 12, 2024

A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.

Command Injection

Pulp RBAC flaw causes improper perms via AutoAddObjPermsMixin (CVE-2024-7143)
CVE-2024-7143 - August 07, 2024

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

Insecure Inherited Permissions

Katello Foreman XSS via User Description Field
CVE-2024-4812 4.8 - Medium - June 05, 2024

A flaw was found in the Katello plugin for Foreman, where it is possible to store malicious JavaScript code in the "Description" field of a user. This code can be executed when opening certain pages, for example, Host Collections.

XSS

Foreman-installer Process Pw Leak via --pw flag
CVE-2024-3716 6.2 - Medium - June 05, 2024

A flaw was found in foreman-installer when puppet-candlepin is invoked cpdb with the --password parameter. This issue leaks the password in the process list and allows an attacker to take advantage and obtain the password.

Information Disclosure

Red Hat Satellite Remote Exec Ignores SSH Key Validation (MITM risk)
CVE-2024-4871 6.8 - Medium - May 14, 2024

A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "-o StrictHostKeyChecking=no". This flaw can lead to a man-in-the-middle attack (MITM), denial of service, leaking of secrets the remote execution job contains, or other issues that may arise from the attacker's ability to forge an SSH key. This issue does not directly allow unauthorized remote execution on the Satellite, although it can leak secrets that may lead to it.

Key Exchange without Entity Authentication

python-cryptography: Remote Decryption of TLS RSA Exchanges
CVE-2023-50782 7.5 - High - February 05, 2024

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Observable Timing Discrepancy

CVE-2023-4320: Satellite Token Over-Expiration via Arithmetic Overflow
CVE-2023-4320 7.6 - High - December 18, 2023

An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity.

Insufficient Session Expiration

Ansible Path Traversal (Galaxy Importer) Symlink Drop
CVE-2023-5189 6.3 - Medium - November 14, 2023

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.

Relative Path Traversal

HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

Candlepin Improper Access Control (CVE-2023-1832)
CVE-2023-1832 8.1 - High - October 04, 2023

An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.

AuthZ

Foreman: Tomcat server.xml SINFO Exposure via World-Readable File
CVE-2023-4886 6.7 - Medium - October 03, 2023

A sensitive information exposure vulnerability was found in foreman. Contents of tomcat's server.xml file, which contain passwords to candlepin's keystore and truststore, were found to be world readable.

Information Disclosure

Foreman: Admin Auth Command Injection via CoreOS/Fedora CoreOS Templates
CVE-2022-3874 9.1 - Critical - September 22, 2023

A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.

Shell injection

Foreman A* Code Exec via YAML Global Params
CVE-2023-0462 9.1 - Critical - September 20, 2023

An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload.

Code Injection

Red Hat Satellite blind S2S RPF via Referer header
CVE-2022-4130 4.5 - Medium - December 16, 2022

A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server.

Pulp Ansible Remote Token Plaintext Exposure via API
CVE-2022-3644 5.5 - Medium - October 25, 2022

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

Insufficiently Protected Credentials

IBM Java SDK <SR1 FP10: plaintext stored in memory dumps (CVE-2015-1931)
CVE-2015-1931 - September 29, 2022

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.

PrivEsc RedHat Satellite via Granular Perms Leak
CVE-2021-3414 8.1 - High - August 26, 2022

A flaw was found in satellite. When giving granular permission related to the organization, other permissions allowing a user to view and manage other organizations are also granted. The highest threat from this vulnerability is to data confidentiality.

Improper Preservation of Permissions

Foreman API Credential Leak Exposes Azure Compute Passwords
CVE-2021-3590 8.8 - High - August 22, 2022

A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Cleartext Transmission of Sensitive Information

Red Hat Satellite Plaintext Candlepin Password Disclosure via satellite-installer
CVE-2020-10710 4.4 - Medium - August 16, 2022

A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges, such as root, to retrieve the Candlepin plaintext password.

Insufficiently Protected Credentials

An authorization flaw was found in Foreman Ansible
CVE-2021-3589 8 - High - March 23, 2022

An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Missing Authentication for Critical Function

A server side remote code execution vulnerability was found in Foreman project
CVE-2021-3584 7.2 - High - December 23, 2021

A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0.

Shell injection

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration
CVE-2021-42550 6.6 - Medium - December 16, 2021

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Marshaling, Unmarshaling

In Django 2.2 before 2.2.25
CVE-2021-44420 7.3 - High - December 08, 2021

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

A credential leak vulnerability was found in Red Hat Satellite
CVE-2020-14371 6.5 - Medium - June 02, 2021

A credential leak vulnerability was found in Red Hat Satellite. This flaw exposes the compute resources credentials through VMs that are running on these resources in Satellite.

Information Disclosure

An account takeover flaw was found in Red Hat Satellite 6.7.2 onward
CVE-2020-14380 7.5 - High - June 02, 2021

An account takeover flaw was found in Red Hat Satellite 6.7.2 onward. A potential attacker with proper authentication to the relevant external authentication source (SSO or Open ID) can claim the privileges of already existing local users of Satellite.

authentification

A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy
CVE-2020-14335 5.5 - Medium - June 02, 2021

A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy. This flaw allows an attacker to gain control of DHCP records from the network. The highest threat from this vulnerability is to system availability.

Information Disclosure

A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view
CVE-2020-10716 6.5 - Medium - May 27, 2021

A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4.

A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0
CVE-2021-3413 6.3 - Medium - April 08, 2021

A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0. A credential leak was identified which will expose Azure Resource Manager's secret key through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Information Disclosure

A flaw was found in Red Hat Satellite
CVE-2021-20256 - February 23, 2021

A flaw was found in Red Hat Satellite. The BMC interface exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Information Disclosure

A flaw was found in Red Hat Satellite 6 which allows privileged attacker to read cache files
CVE-2020-14334 8.8 - High - July 31, 2020

A flaw was found in Red Hat Satellite 6 which allows privileged attacker to read cache files. These cache credentials could help attacker to gain complete control of the Satellite instance.

Insufficiently Protected Credentials

A flaw was found in Hibernate Validator version 6.1.2.Final
CVE-2020-10693 5.3 - Medium - May 06, 2020

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Improper Input Validation

Nokogiri before 1.5.4 is vulnerable to XXE attacks
CVE-2012-6685 - February 19, 2020

Nokogiri before 1.5.4 is vulnerable to XXE attacks