Description of problem: The foreman & Katello projects received an upstream notification about the discovery of an authenticated sql injection vulnerability within katello: Dear Katello/Foreman Team, During an internal test it was discovered that the scoped search parameters sort_by and sort_order are vulnerable to an authenticated SQL injection. If we access: https://x.x.x.x/katello/api/v2/organizations/1/sync_plans/1/products?available_for=sync_plan&full_result=true&page=1&search=&sort_by=name&sort_order=ASC' we will see the following error: {"displayMessage":"PG::Error: ERROR: unterminated quoted string at or near \"', katello_products.id <http://katello_products.id> DESC\"\nLINE 1: ...n_id IS NULL)) ORDER BY katello_products.name <http://katello_products.name> ASC', katello...\n ^\n: SELECT \"katello_products\".* FROM \"katello_products\" WHERE \"katello_products\".\"id\" IN (SELECT DISTINCT \"katello_products\".\"id\" FROM \"katello_products\" WHERE \"katello_products\".\"organization_id\" = 1 AND (katello_products.id <http://katello_products.id> in (NULL) or katello_products.id <http://katello_products.id> in (6,5,4,2,3,1)) AND (sync_plan_id != '1' OR sync_plan_id IS NULL)) ORDER BY katello_products.name <http://katello_products.name> ASC', katello_products.id <http://katello_products.id> DESC","errors":["PG::Error: ERROR: unterminated quoted string at or near \"', katello_products.id <http://katello_products.id> DESC\"\nLINE 1: ...n_id IS NULL)) ORDER BY katello_products.name <http://katello_products.name> ASC', katello...\n The injection can be exploited as a blind time based injection. Best Regards Oliver External reference: The line of code in question here is: https://github.com/Katello/katello/blob/KATELLO-3.0/app/controllers/katello/api/v2/api_controller.rb#L67
This issue has been addressed in the following products: Red Hat Satellite 6.1 Via RHSA-2016:1083 https://access.redhat.com/errata/RHSA-2016:1083