RHSA-2020:4366HighCVSS 8.8

Red Hat Security Advisory: Satellite 6.8 release

Published
October 27, 2020
Last Modified
June 27, 2026

🔗 CVE IDs covered (28)

📋 Description

CVE-2018-3258 — mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) CVE-2018-11751 — puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL CVE-2018-1000119 — rack-protection: Timing attack in authenticity_token.rb CVE-2019-10219 — hibernate-validator: safeHTML validator allows XSS CVE-2019-12781 — Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS CVE-2019-16782 — rubygem-rack: hijack sessions by using timing attacks targeting the session id CVE-2020-5216 — rubygem-secure_headers: limited header injection when using dynamic overrides with user input CVE-2020-5217 — rubygem-secure_headers: directive injection when using dynamic overrides with user input CVE-2020-5267 — rubygem-actionview: views that use the j or escape_javascript methods are susceptible to XSS attacks CVE-2020-7238 — netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling CVE-2020-7663 — rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser CVE-2020-7942 — puppet: Arbitrary catalog retrieval CVE-2020-7943 — puppet: puppet server and puppetDB may leak sensitive information via metrics API CVE-2020-8161 — rubygem-rack: directory traversal in Rack::Directory CVE-2020-8184 — rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names CVE-2020-8840 — jackson-databind: Lacks certain xbean-reflect/JNDI blocking CVE-2020-9546 — jackson-databind: Serialization gadgets in shaded-hikari-config CVE-2020-9547 — jackson-databind: Serialization gadgets in ibatis-sqlmap CVE-2020-9548 — jackson-databind: Serialization gadgets in anteros-core CVE-2020-10693 — hibernate-validator: Improper input validation in the interpolation of constraint error messages CVE-2020-10968 — jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider CVE-2020-10969 — jackson-databind: Serialization gadgets in javax.swing.JEditorPane CVE-2020-11619 — jackson-databind: Serialization gadgets in org.springframework:spring-aop CVE-2020-14061 — jackson-databind: serialization in weblogic/oracle-aqjms CVE-2020-14062 — jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool CVE-2020-14195 — jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory CVE-2020-14334 — foreman: unauthorized cache read on RPM-based installations through local user CVE-2020-14380 — Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover

🔗 References (486)