1744539 – CVE-2018-1077 spacewalk: XML External Entity (XXE) on Spacewalk APIs

Bug 1744539 - CVE-2018-1077 spacewalk: XML External Entity (XXE) on Spacewalk APIs

Summary: CVE-2018-1077 spacewalk: XML External Entity (XXE) on Spacewalk APIs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	API
Sub Component:
Version:	2.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michael Mráka
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2018-1077 space210
TreeView+	depends on / blocked

Reported:	2019-08-22 11:37 UTC by Michael Mráka
Modified:	2020-03-19 12:16 UTC (History)
CC List:	0 users
Fixed In Version:	redstone-xmlrpc 1.1_20071120-20
Clone Of:
Environment:
Last Closed:	2020-03-19 12:16:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Mráka 2019-08-22 11:37:20 UTC

+++ This bug was initially created as a clone of Bug #1555429 +++

It is reported that the Spacewalk 2.6 API contains an XXE flaw resulting in information disclosure.


--- Additional comment from Michael Mráka on 2019-08-21 14:03:00 UTC ---

Fixed in spacewalk git by
commit ff0c56b6735ca978c4cede5e4e6fa71e3e9bfd82
    1555429 - do not download external entities

Comment 1 Michael Mráka 2020-03-19 12:16:13 UTC

Spacewalk 2.10 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes210

Note You need to log in before you can comment on or make changes to this bug.