High severity8.8NVD Advisory· Published Jun 7, 2016· Updated May 6, 2026
CVE-2016-3072
CVE-2016-3072
Description
Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the (1) sort_by or (2) sort_order parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
katelloRubyGems | < 2.4.3 | 2.4.3 |
Patches
15645ed436598Fixes #14381 - properly sanitize sort_by and sort_attr
3 files changed · +23 −7
app/controllers/katello/api/v2/api_controller.rb+3 −2 modified@@ -57,8 +57,9 @@ def scoped_search(query, default_sort_by, default_sort_order, options = {}) sort_attr = params[:sort_by] || default_sort_by if sort_attr - sort_attr = "#{query.table_name}.#{sort_attr}" unless sort_attr.to_s.include?('.') - query = query.order("#{sort_attr} #{params[:sort_order] || default_sort_order}") + sort_order = (params[:sort_order] || default_sort_order).to_s.downcase + sort_order = default_sort_order unless ['desc', 'asc'].include?(sort_order) + query = query.order(sort_attr => sort_order.to_sym) elsif options[:custom_sort] query = options[:custom_sort].call(query) end
app/controllers/katello/api/v2/content_view_versions_controller.rb+5 −3 modified@@ -20,9 +20,11 @@ class Api::V2::ContentViewVersionsController < Api::V2::ApiController param :composite_version_id, :identifier, :desc => N_("Filter versions that are components in the specified composite version"), :required => false param_group :search, Api::V2::ApiController def index - includes = [:content_view, :environments, :composite_content_views, :history => :task] - sort = "#{ContentViewVersion.table_name}.major desc, #{ContentViewVersion.table_name}.minor desc" - respond(:collection => scoped_search(index_relation.uniq, sort, '', :includes => includes)) + options = { + :includes => [:content_view, :environments, :composite_content_views, :history => :task], + :custom_sort => lambda { |query| query.order("#{ContentViewVersion.table_name}.major desc, #{ContentViewVersion.table_name}.minor desc") } + } + respond(:collection => scoped_search(index_relation.uniq, nil, nil, options)) end def index_relation
test/controllers/api/v2/api_controller_test.rb+15 −2 modified@@ -1,13 +1,15 @@ -require 'katello_test_helper' +# encoding: utf-8 + +require "katello_test_helper" module Katello class Api::V2::ApiControllerTest < ActionController::TestCase def setup - katello_errata @controller = Katello::Api::V2::ApiController.new @query = Erratum.all @default_sort = %w(updated desc) @options = { :resource_class => Katello::Erratum } + @errata = katello_errata end def teardown @@ -51,5 +53,16 @@ def test_scoped_search_zero_total assert_equal 0, response[:total], "total" assert_nil response[:error], "error" end + + def test_scoped_search_order + params = {:sort_by => "errata_id", :sort_order => "DESC'"} # sql injection + @controller.stubs(:params).returns(params) + + query = Erratum.all + options = {resource_class: Katello::Erratum} + + results = @controller.scoped_search(query, "errata_id", "asc", options)[:results] + assert_equal ["RHBA-2014-013", "RHEA-2014-111", "RHSA-1999-1231"], results.map(&:errata_id) + end end end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/Katello/katello/pull/6051nvdPatchWEB
- github.com/advisories/GHSA-527r-mfmj-prqfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3072ghsaADVISORY
- access.redhat.com/errata/RHSA-2016:1083nvdWEB
- access.redhat.com/security/cve/CVE-2016-3072ghsaWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/Katello/katello/commit/5645ed4365980a34e30a9c57fe0793dff729e8e4ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2016-3072.ymlghsaWEB
News mentions
0No linked articles in our index yet.