CVE-2024-4871

EPSS 1.74%
Published 14.05.2024 16:17:37
Last modified 21.11.2024 09:43:45
Source secalert@redhat.com
Teams watchlist Login
Open Login

A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "-o StrictHostKeyChecking=no". This flaw can lead to a man-in-the-middle attack (MITM), denial of service, leaking of secrets the remote execution job contains, or other issues that may arise from the attacker's ability to forge an SSH key. This issue does not directly allow unauthorized remote execution on the Satellite, although it can leak secrets that may lead to it.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/theforeman/foreman

≫

Package foreman

Version 3.9.1.8

Status affected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:4.3.14-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:3.9.1.8-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 1:3.9.3.2-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:2.16.9-1.el8pc

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:3.39.15-1.el8pc

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:1.8.3-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:13.0.6-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:12.0.7-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:4.11.0.15-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:3.0.0-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:0.10.6-1.el8sat

Status unaffected

VendorRed Hat

≫

Product Red Hat Satellite 6.15 for RHEL 8

Default Statusaffected

Version < *

Version 0:6.15.2-1.el8sat

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.74%	0.819

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-322 Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

https://access.redhat.com/errata/RHBA-2024:4589

https://access.redhat.com/security/cve/CVE-2024-4871

https://bugzilla.redhat.com/show_bug.cgi?id=2278627

https://nvd.nist.gov/vuln/detail/CVE-2024-4871

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4871

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4871

EUVD