4.3
CVE-2026-12515
- EPSS 0.2%
- Veröffentlicht 17.06.2026 15:34:00
- Zuletzt bearbeitet 26.06.2026 23:17:07
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Katello: missing repository authorization in content_uploads exposes cross-product content existence
A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
≫
Produkt
Red Hat Hardened Images
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Satellite 6
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.095 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://access.redhat.com/security/cve/CVE-2026-12515
https://bugzilla.redhat.com/show_bug.cgi?id=2489812
https://github.com/Katello/katello/pull/11712