Spacewalk up to version 2.9 is vulnerable to XML internal entity via the /rpc/api endpoint. Using this vulnerability could allow an attacker to extract local files from the system running Spacewalk, but also files remotely accessible from the host. In addition, this vulnerability opens up the door for server side request forgery, denial of service attacks and potentially remote code execution in some cases.
Acknowledgments: Name: Thibaut Zonca
This vulnerability is closely related to CVE-2018-1077, previously reported and fixed in bz 1555429.
Statement: This flaw was rated Medium in the context of Red Hat Satellite v.5, because it does not allow remote code execution, and because of the limitation imposed when retrieving file content.
Upstream fix: https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c