Katello

This hub aggregates every CVE we track for Katello, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Katello.

• CVE-2024-4812Katello: potential cross-site scripting exploit in ui4.8Jun 5, 2024
• CVE-2014-0183Versions of Katello as shipped with Red Hat Subscription Asset Manager 1.4 are vulnerable to a XSS via HTML in the systems name when registering.6.1Jan 2, 2020
• CVE-2013-4120Katello has a Denial of Service vulnerability in API OAuth authentication7.5Dec 10, 2019
• CVE-2013-0283Katello: Username in Notification page has cross site scripting5.4Dec 5, 2019
• CVE-2013-2101Katello has multiple XSS issues in various entities5.4Dec 3, 2019
• CVE-2019-14825A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without ...2.7Nov 25, 2019
• CVE-2018-16887A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against oth...5.4Jan 13, 2019
• CVE-2018-14623A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak interna...4.3Dec 13, 2018
• CVE-2017-2662A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not res...4.3Aug 22, 2018
• CVE-2016-9595A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing th...7.3Jul 27, 2018
• CVE-2013-4201Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions.4.3May 1, 2018
• CVE-2016-3072Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL command...8.8Jun 7, 2016
• CVE-2014-3712Katello allows remote attackers to cause a denial of service (memory consumption) via the (1) mode parameter in the setup_utils function in content_search_controller.rb or (2) action parameter in t...5.0Nov 3, 2014
• CVE-2013-2143The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by ...6.5Apr 17, 2014
• CVE-2012-6116modules/certs/manifests/config.pp in katello-configure before 1.3.3.pulpv2 in Katello uses weak permissions (666) for the Candlepin bootstrap RPM, which allows local users to modify the Candlepin C...2.1Mar 1, 2013