Evgeni Golov of Red Hat reports:
It was found that katello-debug.sh uses static, perfectly guessable paths in /tmp for its temporary files, which can lead to symlink attacks on /tmp/tasks_export.log and /tmp/pulp_running_tasks.js leading to overwritten files anywhere on the system (as katello-debug is run via sos as root), or code execution inside of mongo via /tmp/pulp_running_tasks.js if $user pre-creates that file and overwrites the file after command is echoed there, modifying it at his own will before calling mongo on it.
Created attachment 1255095 [details]
patch for the issue.
Name: Evgeni Golov (Red Hat)
This issue has been addressed in the following products:
Red Hat Satellite 6.3 for RHEL 7
Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336