CVE-2024-4871

EPSS 1.74%
Veröffentlicht 14.05.2024 16:17:37
Zuletzt bearbeitet 21.11.2024 09:43:45
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "-o StrictHostKeyChecking=no". This flaw can lead to a man-in-the-middle attack (MITM), denial of service, leaking of secrets the remote execution job contains, or other issues that may arise from the attacker's ability to forge an SSH key. This issue does not directly allow unauthorized remote execution on the Satellite, although it can leak secrets that may lead to it.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/theforeman/foreman

≫

Paket foreman

Version 3.9.1.8

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:4.3.14-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:3.9.1.8-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 1:3.9.3.2-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:2.16.9-1.el8pc

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:3.39.15-1.el8pc

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:1.8.3-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:13.0.6-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:12.0.7-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:4.11.0.15-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:3.0.0-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:0.10.6-1.el8sat

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:6.15.2-1.el8sat

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.74%	0.819

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-322 Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

https://access.redhat.com/errata/RHBA-2024:4589

https://access.redhat.com/security/cve/CVE-2024-4871

https://bugzilla.redhat.com/show_bug.cgi?id=2278627

https://nvd.nist.gov/vuln/detail/CVE-2024-4871

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4871

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4871

EUVD