OpenCVE

The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Candlepinproject	Candlepin
Redhat	Satellite Satellite Capsule

Configuration 1 [-]

OR	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin::::::::
	cpe:2.3:a:candlepinproject:candlepin::::::::

Package	CPE	Advisory	Released Date
Red Hat Satellite 6.10 for RHEL 7
candlepin-0:4.0.15-1.el7sat	cpe:/a:redhat:satellite:6.10::el7	RHSA-2022:0790	2022-03-08T00:00:00Z
Red Hat Satellite 6.11 for RHEL 7
satellite-0:6.11.0-2.el7sat	cpe:/a:redhat:satellite:6.11::el7	RHSA-2022:5498	2022-07-05T00:00:00Z
satellite-0:6.11.0-2.el7sat	cpe:/a:redhat:satellite_capsule:6.11::el7	RHSA-2022:5498	2022-07-05T00:00:00Z
Red Hat Satellite 6.11 for RHEL 8
satellite-0:6.11.0-2.el8sat	cpe:/a:redhat:satellite:6.11::el8	RHSA-2022:5498	2022-07-05T00:00:00Z
satellite-0:6.11.0-2.el8sat	cpe:/a:redhat:satellite_capsule:6.11::el8	RHSA-2022:5498	2022-07-05T00:00:00Z

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2021-4142
https://bugzilla.redhat.com/show_bug.cgi?id=2034346
https://github.com/candlepin/candlepin/pull/3197
https://github.com/candlepin/candlepin/pull/3198
https://github.com/candlepin/candlepin/pull/3199
https://nvd.nist.gov/vuln/detail/CVE-2021-4142
https://www.cve.org/CVERecord?id=CVE-2021-4142

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-08-24T15:09:56

Updated: 2024-08-03T17:16:04.280Z

Reserved: 2021-12-20T00:00:00

Link: CVE-2021-4142

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-24T16:15:09.547

Modified: 2023-11-07T03:40:15.473

Link: CVE-2021-4142

Redhat

Severity : Moderate

Publid Date: 2022-01-17T10:30:00Z

Links: CVE-2021-4142 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "candlepin", "vendor": "n/a", "versions": [{"status": "affected", "version": "Affects v3.1.28-2, v3.2.21-1, v4.1.8-1 and earlier are affected."}]}], "descriptions": [{"lang": "en", "value": "The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 - Authorization Bypass Through User-Controlled Key -> CWE-287 - Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-24T15:09:56", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/CVE-2021-4142"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/candlepin/candlepin/pull/3199"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/candlepin/candlepin/pull/3197"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/candlepin/candlepin/pull/3198"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:16:04.280Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/CVE-2021-4142"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/candlepin/candlepin/pull/3199"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/candlepin/candlepin/pull/3197"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/candlepin/candlepin/pull/3198"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-4142", "datePublished": "2022-08-24T15:09:56", "dateReserved": "2021-12-20T00:00:00", "dateUpdated": "2024-08-03T17:16:04.280Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F8E66F2-C51A-413B-A621-33CA21EDA81F", "versionEndIncluding": "3.1.28-2", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "matchCriteriaId": "236D3F17-234D-41D9-A67D-0E919D60CE24", "versionEndIncluding": "3.2.21-1", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:candlepinproject:candlepin:*:*:*:*:*:*:*:*", "matchCriteriaId": "2822E169-A7B8-4EDA-B913-AF98CFC1BCCF", "versionEndIncluding": "4.1.8-1", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin."}, {"lang": "es", "value": "El componente Candlepin de Red Hat Satellite estaba afectado por un fallo de autenticaci\u00f3n inapropiado. Algunos factores pod\u00edan permitir a un atacante usar el certificado SCA (Simple Content Access) para la autenticaci\u00f3n con Candlepin."}], "id": "CVE-2021-4142", "lastModified": "2023-11-07T03:40:15.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-24T16:15:09.547", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2021-4142"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/candlepin/candlepin/pull/3197"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/candlepin/candlepin/pull/3198"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/candlepin/candlepin/pull/3199"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Upstream acknowledges Barnaby Court and Nikolaos Moumoulidis as the original reporters.", "affected_release": [{"advisory": "RHSA-2022:0790", "cpe": "cpe:/a:redhat:satellite:6.10::el7", "impact": "moderate", "package": "candlepin-0:4.0.15-1.el7sat", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2022-03-08T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el7", "impact": "moderate", "package": "satellite-0:6.11.0-2.el7sat", "product_name": "Red Hat Satellite 6.11 for RHEL 7", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite_capsule:6.11::el7", "impact": "moderate", "package": "satellite-0:6.11.0-2.el7sat", "product_name": "Red Hat Satellite 6.11 for RHEL 7", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el8", "impact": "moderate", "package": "satellite-0:6.11.0-2.el8sat", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite_capsule:6.11::el8", "impact": "moderate", "package": "satellite-0:6.11.0-2.el8sat", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}], "bugzilla": {"description": "Satellite: Allow unintended SCA certificate to authenticate Candlepin", "id": "2034346", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034346"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-639->CWE-287", "details": ["The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.", "The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is not available because it doesn't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-4142", "public_date": "2022-01-17T10:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-4142\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-4142"], "threat_severity": "Moderate"}