Bug 2448349 (CVE-2026-4324)

Summary: CVE-2026-4324 rubygem-katello: Katello: Denial of Service and potential information disclosure via SQL injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, security-response-team, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-17 12:32:57 UTC 
A flaw was found in the Katello plugin for Red Hat Satellite. The vulnerability occurs due to improper sanitization of user-provided input in the sort_by parameter of the /api/hosts/bootc_images API endpoint. An attacker could exploit this flaw by injecting arbitrary SQL commands into the order clause of the database query. While certain complex queries are blocked by the underlying framework's protections, an attacker can still manipulate the query structure to trigger database errors, cause a Denial of Service (DoS), or potentially perform Boolean-based Blind SQL injection.