CVE Daily
← All tags

Tag: Red Hat Satellite

All CVEs associated with "Red Hat Satellite". Page 1/1 • 32 CVEs.

About “Red Hat Satellite”

A curated feed of “Red Hat Satellite”-related CVEs appears below. We currently track 32 CVEs for this tag (all time). In the last 365 days, 3 were published. Average CVSS is 6.1 (all time; 7.2 over 365d), and 22% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: redhat-satellite

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
6.196.19
6.186.18.5
6.176.17.8 Soon
6.166.16.8 Expired
6.156.15.5.8 Expired
6.146.14.4.5 Expired
6.136.13.7.3 Expired
6.126.12.5.3 Expired
6.116.11.5.7 Expired
6.106.10.7.2 Expired
6.96.9.10 Expired
6.86.8.6 Expired
6.76.7.5 Expired
6.66.6.3 Expired
6.56.5.3 Expired
6.46.4.4 Expired
6.36.3.5 Expired
6.26.2.16 Expired
6.16.1.12 Expired
6.06.0.8 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Red Hat Satellite”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-03-17
Medium

CVE-2026-4324

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands int…

CVSS: 5.4 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2026-02-27
High

CVE-2026-0980

A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit…

CVSS: 8.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2025-11-05
High

CVE-2025-10622

A flaw was found in Red Hat Satellite (Foreman component). This vulnerability allows an authenticated user with edit_settings permissions to achieve arbitrary command execution on the underlying oper…

CVSS: 8.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2025-03-15
Low

CVE-2025-2157

A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such a…

CVSS: 3.3 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
2022-08-24
Medium

CVE-2021-4142

The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication…

CVSS: 5.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2022-08-16
Medium

CVE-2020-10710

A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges,…

CVSS: 4.4 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-06-02
High

CVE-2020-14380

An account takeover flaw was found in Red Hat Satellite 6.7.2 onward. A potential attacker with proper authentication to the relevant external authentication source (SSO or Open ID) can claim the pri…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2020-14371

A credential leak vulnerability was found in Red Hat Satellite. This flaw exposes the compute resources credentials through VMs that are running on these resources in Satellite.

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2020-14335

A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy. This flaw allows an attacker to gain control of DHCP records from…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-05-27
Medium

CVE-2020-10716

A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invoc…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
2021-04-08
Medium

CVE-2021-3413

A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0. A credential leak was identified which will expose Azure Resource Manager's secret key through JSON of…

CVSS: 6.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-02-23
Medium

CVE-2021-20256

A flaw was found in Red Hat Satellite. The BMC interface exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-07-31
High

CVE-2020-14334

A flaw was found in Red Hat Satellite 6 which allows privileged attacker to read cache files. These cache credentials could help attacker to gain complete control of the Satellite instance.

CVSS: 8.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2020-01-02
Medium

CVE-2014-3590

Versions of Foreman as shipped with Red Hat Satellite 6 does not check for a correct CSRF token in the logout action. Therefore, an attacker can log out a user by having them view specially crafted c…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2019-04-15
High

CVE-2019-3891

It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Sa…

CVSS: 7.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2019-01-22
Medium

CVE-2018-14666

An improper authorization flaw was found in the Smart Class feature of Foreman. An attacker can use it to change configuration of any host registered in Red Hat Satellite, independent of the organiza…

CVSS: 6.8 CWE: CWE-285 - Improper Authorization View on NVD
2018-07-30
Medium

CVE-2017-7514

A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to pe…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-07-26
Low

CVE-2017-12175

Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality.

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-02-27
Low

CVE-2017-15136

When registering and activating a new system with Red Hat Satellite 6 if the new systems hostname is then reset to the hostname of a previously registered system the previously registered system will…

CVSS: 2.7 CWE: CWE-20 - Improper Input Validation View on NVD
2017-10-18
High

CVE-2015-5164

The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code…

CVSS: 7.2 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2017-08-28
Medium

CVE-2014-8163

Directory traversal vulnerability in the XMLRPC interface in Red Hat Satellite 5.

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2014-8168

Red Hat Satellite 6 allows local users to access mongod and delete pulp_database.

CVSS: 6.1 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2014-0141

Cross-site scripting (XSS) vulnerability in Red Hat Satellite 6.0.3.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-06-06
Medium

CVE-2014-8180

MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.

CVSS: 5.5 CWE: CWE-287 - Improper Authentication View on NVD
2017-04-13
Medium

CVE-2016-2104

Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the label parameter to admin/BunchDetail.do; (2) the p…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2016-08-05
Medium

CVE-2016-3097

Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via a group name, related to viewing snapshot data.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-3080

Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via the (1) RHNMD User or (2) Filesystem parameters,…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2016-04-14
Medium

CVE-2016-3079

Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-2103

Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the list_1680466951_oldfilterval parameter to systems/…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2015-0284

Cross-site scripting (XSS) vulnerability in spacewalk-java in Spacewalk and Red Hat Satellite 5.7 allows remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-04-17
Medium

CVE-2013-2143

The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by se…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2013-11-18
High

CVE-2013-4480

Red Hat Satellite 5.6 and earlier does not disable the web interface that is used to create the first user for a satellite, which allows remote attackers to create administrator accounts.

CVSS: 7.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox