CVE-2012-6119

Candlepin < 0.7.24 - Manifest Signature Validation Bypass

Title source: llm
STIX 2.1

Description

Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.

References (6)

Core 6
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52774
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/91719
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=908613
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0686.html

Scores

EPSS 0.0042
EPSS Percentile 33.9%

Details

CWE
CWE-264
Status published
Products (9)
candlepinproject/candlepin 0.4.5
candlepinproject/candlepin 0.4.11
candlepinproject/candlepin 0.4.27
candlepinproject/candlepin 0.5.5
candlepinproject/candlepin 0.6.3
candlepinproject/candlepin < 0.7.2
redhat/subscription_asset_manager 1.0.0
redhat/subscription_asset_manager 1.1.0
redhat/subscription_asset_manager < 1.2.0
Published Apr 02, 2013
Tracked Since Feb 18, 2026