Bug 529483 (CVE-2009-4139) - CVE-2009-4139 RHN Satellite / Spacewalk: CSRF in all web portal forms
Summary: CVE-2009-4139 RHN Satellite / Spacewalk: CSRF in all web portal forms
Alias: CVE-2009-4139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Jiri Kastner
: 672170 (view as bug list)
Depends On: 693796
Blocks: 622406
TreeView+ depends on / blocked
Reported: 2009-10-17 13:25 UTC by Jan Lieskovsky
Modified: 2021-02-25 02:11 UTC (History)
19 users (show)

Fixed In Version: spacewalk-java-1.2.39-85.el*sat
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-08-02 16:23:58 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 719504 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Product Errata RHSA-2011:0879 0 normal SHIPPED_LIVE Moderate: Red Hat Network Satellite server spacewalk-java security update 2011-06-16 19:01:11 UTC

Internal Links: 719504

Description Jan Lieskovsky 2009-10-17 13:25:40 UTC
It was found that Red Hat Network (RHN) Satellite and Spacewalk services did
not protect against Cross-Site Request Forgery (CSRF) attacks. If an
authenticated RHN Satellite or Spacewalk service user visited a specially-
crafted web page, it could lead to unauthorized command execution with the
privileges of that user, for example, creating a new user account, granting
administrator privileges to user accounts, disabling the account of the current
user, and so on. 


Red Hat would like to thank Christian Johansson of Bitsec AB and Thomas Biege of the SUSE Security Team for independently reporting this issue.

Comment 47 Jan Lieskovsky 2011-06-16 12:52:08 UTC
This issue affects the versions of the spacewalk-java package, as shipped
with Red Hat Network Satellite Server version 5.3.0, and 5.4.0.

Comment 48 Jan Lieskovsky 2011-06-16 12:54:49 UTC

Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0879 https://rhn.redhat.com/errata/RHSA-2011-0879.html. This issue is not planned to be fixed in Red Hat Network Satellite Server version 5.3.0.

Comment 50 errata-xmlrpc 2011-06-16 19:01:15 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:0879 https://rhn.redhat.com/errata/RHSA-2011-0879.html

Note You need to log in before you can comment on or make changes to this bug.