Описание
Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the (1) sort_by or (2) sort_order parameter.
An input sanitization flaw was found in the scoped search parameters sort_by and sort_order in the REST API. An authenticated user could use this flaw to perform an SQL injection attack on the Katello back end database.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Subscription Asset Manager | katello | Not affected | ||
| Red Hat Satellite 6.1 | ruby193-rubygem-katello | Fixed | RHSA-2016:1083 | 16.05.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS2
Связанные уязвимости
Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the (1) sort_by or (2) sort_order parameter.
EPSS
6.5 Medium
CVSS2