CVE-2012-6119Medium
CVE
CVE
National Vulnerability Database
NVD is the U.S. government repository of standards-based vulnerability management data, built on top of the MITRE CVE list. Every record includes CPE applicability statements, CVSS v2 and v3.x base scores, CWE mappings and cross-references to advisories.
Region
US
Updates
15 min
License
Public Domain
Comprehensive catalog of publicly disclosed vulnerabilities with CPE matches, CVSS scoring and reference URLs. De-facto standard for cross-vendor correlation.
https://nvd.nist.gov →Share link
Anyone with the link can open this vulnerability.
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which all…
CVSS
4.0
Medium
EPSS
0.00
p33
Published
2012-01-01
Updated
2012-01-01
Description
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.
Tags · CWE
CWE-264
CWE-264CategoryObsolete
Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
https://cwe.mitre.org/data/definitions/264.html →Open in CWE collection →Affected products
Candlepin ≤ 0.7.2CandlepinSubscription_asset_manager ≤ 1.2.0Subscription_asset_manager
CVSS vector
AV:N/AC:L/Au:S/C:N/I:P/A:N
Timeline
2012-01-01
Published
2012-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Authentication
Au: S
Single
Confidentiality Impact
C: N
None (N)
Integrity Impact
I: P
Partial
Availability Impact
A: N
None (N)
Exploit indicators
EPSS
0.004 · p33
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
| Product | Vendor | Status |
|---|---|---|
| candlepin | Tracked | |
| katello | Tracked | |
| katello-configure | Tracked | |
| rubygem-actionpack | Tracked | |
| rubygem-activemodel | Tracked | |
| rubygem-delayed_job | Tracked | |
| rubygem-json | Tracked | |
| rubygem-nokogiri | Tracked | |
| rubygem-rack | Tracked | |
| rubygem-rails_warden | Tracked | |
| rubygem-rdoc | Tracked | |
| thumbslug | Tracked | |
| candlepin | * | Tracked |
| subscription_asset_manager | * | Tracked |
Source databases
CVE
CVE
National Vulnerability Database
NVD is the U.S. government repository of standards-based vulnerability management data, built on top of the MITRE CVE list. Every record includes CPE applicability statements, CVSS v2 and v3.x base scores, CWE mappings and cross-references to advisories.
Region
US
Updates
15 min
License
Public Domain
Comprehensive catalog of publicly disclosed vulnerabilities with CPE matches, CVSS scoring and reference URLs. De-facto standard for cross-vendor correlation.
https://nvd.nist.gov →RED
RED
Red Hat Security Advisories (RHSA)
Red Hat advisories are authoritative for RHEL-family systems: each record lists the exact package NEVRA fixed, the affected streams, and a Red Hat-assigned severity that may differ from NVD's. Many downstream projects (CentOS Stream, Rocky, Alma) follow these IDs.
Region
US
Updates
1 ч
License
CC BY-SA 4.0
Advisories for Red Hat Enterprise Linux, OpenShift, Ansible and other Red Hat products. Includes detailed backport tracking — critical for long-term-support distributions.
https://access.redhat.com/security/security-updates/ →