Vulnerability CVE-2010-2236 - CERT Civis.Net

Vulnerability Name:

CVE-2010-2236 (CCN-92714)

Assigned:

2010-06-09

Published:

2014-03-04

Updated:

2022-02-03

Summary:

The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, related to backticks.

CVSS v3 Severity:

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.4 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-2236

Source: SECUNIA
Type: Vendor Advisory
56952

Source: CCN
Type: Red Hat Network Satellite Server Web site
Red Hat | Red Hat Satellite

Source: CCN
Type: BID-68760
Multiple Products Monitoring Probe Display Remote Arbitrary Code Execution Vulnerability

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/attachment.cgi?id=819987&action=diff

Source: CCN
Type: Red Hat Bugzilla Bug 607712
(CVE-2010-2236) CVE-2010-2236 RHN Satellite / Proxy: Improper monitoring probes input sanitization (ACE)

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=607712

Source: CCN
Type: Red Hat Bugzilla Bug 881411
elinks/links: does not properly verify SSL certificates

Source: XF
Type: UNKNOWN
satellite-cve20102236-code-exec(92714)

Source: CONFIRM
Type: Exploit, Patch
https://git.fedorahosted.org/cgit/spacewalk.git/commit/?id=18c70164285cae0660fa3ac55c6656bb19b3b13f

Source: CONFIRM
Type: Exploit, Patch
https://git.fedorahosted.org/cgit/spacewalk.git/commit/?id=c41c87a9dc9dac771eb761dd63ada05b2f9104f9

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:0222

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2010-2236

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:satellite:4.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:satellite:4.2:*:*:*:*:*:*:*

OR cpe:/a:redhat:satellite:5.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:spacewalk-java:*:*:*:*:*:*:*:* (Version <= 2.1.147-1)

OR cpe:/a:redhat:network_proxy:5.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:satellite:5.1:*:*:*:*:*:*:*

OR cpe:/a:redhat:satellite:5.2:*:*:*:*:*:*:*

OR cpe:/a:redhat:satellite:4.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:redhat:network_satellite:5.1:*:*:*:*:*:*:*

OR cpe:/a:redhat:network_satellite:5.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:network_proxy:5.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:network_satellite:5.2:*:*:*:*:*:*:*

OR cpe:/a:redhat:network_satellite:4.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:network_satellite:4.1:*:*:*:*:*:*:*

OR cpe:/a:redhat:network_satellite:4.2:*:*:*:*:*:*:*

Denotes that component is vulnerable