It was found that an XMLRPC interface exposed by Satellite could allow an attacker to write arbitrary files and directories under the /var/satellite directory on the Satellite server.
Travis Emmert reports:
An XMLRPC interface is exposed that is intended for programmatic invocation
from the client programs and related components. This interfaces exists on the
satellite server at /XMLRPC. Note that this interface is different from the
published interface exposed to endusers at /rpc/api. The application accepts
data and a filename for writing the file too. The filename and resulting
generated path is inspected, however the inspection does not consider all
potential attacks. The verification on the path results in a situation where
an attacker can write to an arbitrary file and directory under /var/satellite/
Red Hat would like to thank Travis Emmert for reporting this issue.