{"containers": {"cna": {"affected": [{"product": "Satellite", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-08T00:00:00", "descriptions": [{"lang": "en", "value": "An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-01-23T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "106490", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106490"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14666"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:38:13.123Z"}, "title": "CVE Program Container", "references": [{"name": "106490", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106490"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14666"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-14666", "datePublished": "2019-01-22T15:00:00", "dateReserved": "2018-07-27T00:00:00", "dateUpdated": "2024-08-05T09:38:13.123Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:satellite:*:*:*:*:*:*:*:*", "matchCriteriaId": "D48E3548-25F6-4E8F-A1E8-E3D5FA9054FB", "versionEndIncluding": "6.4", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions."}, {"lang": "es", "value": "Se ha encontrado un fallo de autorizaci\u00f3n incorrecta en la funcionalidad Smart Class en Foreman. Un atacante puede usarlo para cambiar la configuraci\u00f3n de cualquier host que se encuentra registrado en Red Hat Satellite, independientemente de la organizaci\u00f3n a la que pertenezca dicho host. Este fallo afecta a todas las versiones de Red Hat Satellite 6."}], "id": "CVE-2018-14666", "lastModified": "2019-10-09T23:35:09.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2019-01-22T15:29:00.317", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/106490"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14666"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Pat Riehecky (Fermilab) for reporting this issue.", "bugzilla": {"description": "Satellite: Smart class parameters allow users to access other organizations", "id": "1638156", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638156"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-285", "details": ["An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organization the host belongs to. This flaw affects all Red Hat Satellite 6 versions.", "An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Satellite, independent of the organization the host belongs to. This flaw affects all Satellite 6 versions."], "name": "CVE-2018-14666", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "foreman", "product_name": "Red Hat Satellite 6"}], "public_date": "2019-01-08T18:02:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-14666\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14666"], "threat_severity": "Moderate"}