Vulnerability Name:

CVE-2014-3595 (CCN-99871)

Assigned:2014-09-11
Published:2014-09-11
Updated:2022-02-25
Summary:Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2014-3595

Source: SUSE
Type: Mailing List, Patch, Vendor Advisory
SUSE-SU-2014:1218

Source: SUSE
Type: Mailing List, Patch, Vendor Advisory
SUSE-SU-2014:1339

Source: CCN
Type: RHSA-2014-1184
Important: spacewalk-java security update

Source: REDHAT
Type: Vendor Advisory
RHSA-2014:1184

Source: SECUNIA
Type: Third Party Advisory
61115

Source: SECUNIA
Type: Third Party Advisory
62027

Source: CCN
Type: BID-69783
Red Hat Spacewalk CVE-2014-3595 HTML Injection Vulnerability

Source: XF
Type: UNKNOWN
spacewalk-cve20143595-xss(99871)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:satellite:5.4:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:satellite:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:satellite:5.6:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:satellite_with_embedded_oracle:5.4:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:satellite_with_embedded_oracle:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:spacewalk-java:1.2.39:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:spacewalk-java:1.7.54:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:spacewalk-java:2.0.2:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:suse:manager:1.7:*:*:*:*:*:*:*
  • AND
  • cpe:/o:suse:suse_linux_enterprise_server:11:sp2:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:suse:manager_server:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:spacewalk-java:1.2.39:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:spacewalk-java:1.7.54:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:spacewalk-java:2.0.2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:redhat:network_satellite:5.4:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:network_satellite:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:network_satellite:5.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat satellite 5.4
    redhat satellite 5.5
    redhat satellite 5.6
    redhat satellite with embedded oracle 5.4
    redhat satellite with embedded oracle 5.5
    redhat spacewalk-java 1.2.39
    redhat spacewalk-java 1.7.54
    redhat spacewalk-java 2.0.2
    suse manager 1.7
    suse suse linux enterprise server 11 sp2
    suse manager server -
    redhat spacewalk-java 1.2.39
    redhat spacewalk-java 1.7.54
    redhat spacewalk-java 2.0.2
    redhat network satellite 5.4
    redhat network satellite 5.5
    redhat network satellite 5.6