Vulnerability Name:

CVE-2009-4139 (CCN-68074)

Assigned:2009-12-01
Published:2011-06-19
Updated:2017-08-17
Summary:Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-352
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-4139

Source: CCN
Type: RHSA-2011-0879
Moderate: Red Hat Network Satellite server spacewalk-java security update

Source: CCN
Type: SA44959
Red Hat Network Satellite Server Cross-Site Request Forgery Vulnerability

Source: SECTRACK
Type: UNKNOWN
1025674

Source: CCN
Type: OSVDB ID: 73112
Red Hat Network Satellite Server Admin Privilege Addition CSRF

Source: CCN
Type: Red Hat Web site
Red Hat Network Satellite

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2011:0879

Source: CCN
Type: BID-48322
Red Hat Satellite Server 'spacewalk-java' Cross Site Request Forgery Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=529483

Source: XF
Type: UNKNOWN
nss-spacewalk-csrf(68074)

Source: XF
Type: UNKNOWN
nss-spacewalk-csrf(68074)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:network_satellite_server:5.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:network_satellite_server:5.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:network_satellite_server:5.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:spacewalk-java:1.2.39:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:network_satellite:5.4:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat network satellite server 5.3.0
    redhat network satellite server 5.4.0
    redhat network satellite server 5.4.1
    redhat spacewalk-java 1.2.39
    redhat network satellite 5.4
    redhat linux advanced workstation 2.1
    redhat enterprise linux 5