Description
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.
References (6)
Core 6
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/52774
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/91719
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=908613
Various Sources x_refsource_confirm
https://github.com/candlepin/candlepin/blob/master/candlepin.spec
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0686.html
Patch x_refsource_confirm
https://github.com/candlepin/candlepin/commit/f4d93230e58b969c506b4c9778e04482a059b08c
Scores
EPSS
0.0042
EPSS Percentile
33.9%
Details
CWE
CWE-264
Status
published
Products (9)
candlepinproject/candlepin
0.4.5
candlepinproject/candlepin
0.4.11
candlepinproject/candlepin
0.4.27
candlepinproject/candlepin
0.5.5
candlepinproject/candlepin
0.6.3
candlepinproject/candlepin
< 0.7.2
redhat/subscription_asset_manager
1.0.0
redhat/subscription_asset_manager
1.1.0
redhat/subscription_asset_manager
< 1.2.0
Published
Apr 02, 2013
Tracked Since
Feb 18, 2026