Vulnerability Name:

CVE-2015-5164 (CCN-133654)

Assigned:2015-07-28
Published:2015-07-28
Updated:2017-11-08
Summary:The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp.
CVSS v3 Severity:7.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
6.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
6.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-502
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2015-5164

Source: CCN
Type: Red Hat Web site
Red Hat Satellite

Source: CCN
Type: Red Hat Bugzilla – Bug 1247732
(CVE-2015-5164) CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1247732

Source: XF
Type: UNKNOWN
redhat-cve20155164-code-exec(133654)

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://pulp.plan.io/issues/23

Vulnerable Configuration:Configuration 1:
  • cpe:/a:pulpproject:qpid:-:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:satellite:6.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:satellite:6.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    pulpproject qpid -
    redhat satellite 6.0
    redhat satellite 6.1