1192249 – (CVE-2014-8168) CVE-2014-8168 Satellite: Local user can access MongoDB and delete database

Bug 1192249 (CVE-2014-8168) - CVE-2014-8168 Satellite: Local user can access MongoDB and delete database

Summary: CVE-2014-8168 Satellite: Local user can access MongoDB and delete database

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-8168
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1192251 1977882
Blocks:	1192250 1979372
TreeView+	depends on / blocked

Reported:	2015-02-13 00:18 UTC by Kurt Seifried
Modified:	2021-12-14 18:47 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-20 10:49:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2015-02-13 00:18:08 UTC

In Red Hat Satellite, the MongoDB database can be accessed by any malicious local user of the Satellite server and pulp_database content can be modified or deleted. Embedded MongoDB was introduced in Satellite 6.0 onward therefore, all the current Satellite active versions are affected by the flaw.

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bcourt
bkearney
btotty
cduryee
cpelland
cperry
ehelms
jhutar
jrusnack
jsherril
lzap
mhulan
mmccune
myarboro
nmoumoul
orabin
pcreech
rchan
rjerrido
security-response-team
sokeeffe
tjay
vkaigoro
ytale