Bug 1744539

Summary: CVE-2018-1077 spacewalk: XML External Entity (XXE) on Spacewalk APIs
Product: [Community] Spacewalk Reporter: Michael Mráka <mmraka>
Component: APIAssignee: Michael Mráka <mmraka>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.9   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: redstone-xmlrpc 1.1_20071120-20 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-19 12:16:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1555429, 1802137    

Description Michael Mráka 2019-08-22 11:37:20 UTC 
+++ This bug was initially created as a clone of Bug #1555429 +++

It is reported that the Spacewalk 2.6 API contains an XXE flaw resulting in information disclosure.


--- Additional comment from Michael Mráka on 2019-08-21 14:03:00 UTC ---

Fixed in spacewalk git by
commit ff0c56b6735ca978c4cede5e4e6fa71e3e9bfd82
    1555429 - do not download external entities
Comment 1 Michael Mráka 2020-03-19 12:16:13 UTC 
Spacewalk 2.10 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes210