The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-04-17T14:00:00

Updated: 2024-08-06T15:27:40.812Z

Reserved: 2013-02-19T00:00:00

Link: CVE-2013-2143

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2014-04-17T14:55:05.730

Modified: 2021-07-16T16:21:38.013

Link: CVE-2013-2143

cve-icon Redhat

Severity : Important

Publid Date: 2014-03-24T00:00:00Z

Links: CVE-2013-2143 - Bugzilla