module

Katello (Red Hat Satellite) users/update_roles Missing Authorization

Try Surface Command
Back to search
Disclosed
2014-03-24
Created
2018-05-30

Description

This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat Satellite
(Katello 1.5.0-14 and earlier) by changing the specified account to an
administrator account.

Author

Ramon de C Valle rcvalle@metasploit.com

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use auxiliary/admin/http/katello_satellite_priv_esc
    msf auxiliary(katello_satellite_priv_esc) > show actions
        ...actions...
    msf auxiliary(katello_satellite_priv_esc) > set ACTION < action-name >
    msf auxiliary(katello_satellite_priv_esc) > show options
        ...show and set options...
    msf auxiliary(katello_satellite_priv_esc) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today