It was discovered that redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
It was discovered that redhat-certification allows an unauthenticated user to download any file accessible by the user running the httpd server, through the /download URL.
Name: Riccardo Schirone (Red Hat Product Security)
If SELinux is enabled it further restricts the set of files that can be downloaded through this flaw.
The argument rpath of the /download view is not validated, thus it allows any file to be downloaded.
This issue has been addressed in the following products:
Red Hat Certification for Red Hat Enterprise Linux 7
Via RHSA-2018:2373 https://access.redhat.com/errata/RHSA-2018:2373