CVE-2012-6119
low
CVSS v3
—
CVSS v2
2.1
VIR risk
2.1
Description
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/52774
Vendor advisory: secalert@redhat.com — http://rhn.redhat.com/errata/RHSA-2013-0686.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| candlepinproject | candlepin | {"endIncluding":"0.7.2"} | |
| candlepinproject | candlepin | 0.4.5 | |
| candlepinproject | candlepin | 0.4.11 | |
| candlepinproject | candlepin | 0.4.27 | |
| candlepinproject | candlepin | 0.5.5 | |
| candlepinproject | candlepin | 0.6.3 | |
| redhat | subscription_asset_manager | {"endIncluding":"1.2.0"} | |
| redhat | subscription_asset_manager | 1.0.0 | |
| redhat | subscription_asset_manager | 1.1.0 | |
References
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52774
- http://www.osvdb.org/91719
- https://bugzilla.redhat.com/show_bug.cgi?id=908613
- https://github.com/candlepin/candlepin/blob/master/candlepin.spec
- https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52774
- http://www.osvdb.org/91719
- https://bugzilla.redhat.com/show_bug.cgi?id=908613
- https://github.com/candlepin/candlepin/blob/master/candlepin.spec
- https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.