2145254 – (CVE-2022-4130) CVE-2022-4130 satellite: Blind SSRF via Referer header

Bug 2145254 (CVE-2022-4130) - CVE-2022-4130 satellite: Blind SSRF via Referer header

Summary: CVE-2022-4130 satellite: Blind SSRF via Referer header

Keywords:
Status:	NEW
Alias:	CVE-2022-4130
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2148136 2148155 2147581
Blocks:	2142667
TreeView+	depends on / blocked

Reported:	2022-11-23 15:57 UTC by ybuenos
Modified:	2023-03-02 08:28 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description ybuenos 2022-11-23 15:57:03 UTC

Satellite is executing external requests via the Referer header under the /location/clear path. It is possible to trigger an external interaction to an attacker's server, by executing a GET request to /locations/clear and modifying the Referer header to an attacker-controlled server.

Note You need to log in before you can comment on or make changes to this bug.