An improper access control flaw was found in Candlepin. This issue enables a customer/tenant to create data scoped under another customer/tenant, and can result in loss of confidentiality and availability for the affected customer/tenant.
This has been fixed in candlepin-4.3.7-3, and deployed to PROD hosted candlepin: curl -k https://subscription.rhsm.redhat.com/candlepin/status | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 805 0 805 0 0 1580 0 --:--:-- --:--:-- --:--:-- 1581 { "mode": "NORMAL", "modeReason": null, "modeChangeTime": null, "result": true, "version": "4.3.7", <--- version "release": "3", <--- release "standalone": false, "timeUTC": "2023-09-22T10:58:37+0000", "rulesSource": "default", "rulesVersion": "5.44", "managerCapabilities": [ "keycloak_auth", "cloud_registration", "instance_multiplier", "derived_product", "vcpu", "cert_v3", "hypervisors_heartbeat", "remove_by_pool_id", "syspurpose", "storage_band", "device_auth", "cores", "ssl_verify_status", "multi_environment", "hypervisors_async", "org_level_content_access", "guest_limit", "ram", "batch_bind", "combined_reporting" ], "keycloakRealm": "redhat-external", "keycloakAuthUrl": "https://sso.redhat.com/auth", "keycloakResource": "rhsm-api", "deviceAuthRealm": "redhat-external", "deviceAuthUrl": "https://sso.redhat.com/auth", "deviceAuthClientId": "rhsm-api", "deviceAuthScope": "" }