Bug 2145254 (CVE-2022-4130) - CVE-2022-4130 satellite: Blind SSRF via Referer header
Summary: CVE-2022-4130 satellite: Blind SSRF via Referer header
Keywords:
Status: NEW
Alias: CVE-2022-4130
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2148136 2148155 2147581
Blocks: 2142667
TreeView+ depends on / blocked
 
Reported: 2022-11-23 15:57 UTC by ybuenos
Modified: 2023-03-02 08:28 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description ybuenos 2022-11-23 15:57:03 UTC
Satellite is executing external requests via the Referer header under the /location/clear path. It is possible to trigger an external interaction to an attacker's server, by executing a GET request to /locations/clear and modifying the Referer header to an attacker-controlled server.


Note You need to log in before you can comment on or make changes to this bug.