Travis Emmert reports: An XMLRPC interface is exposed that is intended for programmatic invocation from the client programs and related components. This interfaces exists on the satellite server at /XMLRPC. Note that this interface is different from the published interface exposed to endusers at /rpc/api. The application accepts data and a filename for writing the file too. The filename and resulting generated path is inspected, however the inspection does not consider all potential attacks. The verification on the path results in a situation where an attacker can write to an arbitrary file and directory under /var/satellite/
Acknowledgement: Red Hat would like to thank Travis Emmert for reporting this issue.