CVE-2018-14623
Description
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated SQL injection in Katello's errata API allows attackers to leak internal database identifiers; fixed in Satellite 6.3.
Vulnerability
A SQL injection flaw exists in Katello's errata-related API. The vulnerability allows an authenticated remote attacker to craft input data that, when processed by the errata API, forces the generation of a malformed SQL query to the backend database. This issue is an incomplete fix for CVE-2016-3072. Katello version 3.10 and older are vulnerable [1][2][3].
Exploitation
An attacker must have valid authentication to the Katello/Satellite system. By sending a specially crafted request to the errata-related API endpoint, the attacker can inject SQL commands that are executed by the backend database. No user interaction beyond initial authentication is required; the attacker directly manipulates the API input [1][2][3].
Impact
Successful exploitation results in leakage of internal database identifiers. The primary impact is confidentiality loss of internal IDs, which could aid further attacks. The attacker does not gain the ability to modify or delete data, nor achieve remote code execution directly from this vulnerability [1][2][3].
Mitigation
The vulnerability is addressed in Red Hat Satellite 6.3, released as part of RHSA-2018:0336. Users are advised to upgrade to Satellite 6.3 or apply the relevant security update to their Katello packages. For Satellite versions prior to 6.3, no workarounds have been published by Red Hat [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
katelloRubyGems | <= 3.10 | — |
Affected products
2- The Foreman Project/katellov5Range: 3.10 and older
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-527r-mfmj-prqfghsaADVISORY
- github.com/advisories/GHSA-jx5v-788g-qw58ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14623ghsaADVISORY
- www.securityfocus.com/bid/106224mitrevdb-entryx_refsource_BID
- access.redhat.com/errata/RHSA-2018:0336ghsaWEB
- access.redhat.com/security/cve/CVE-2018-14623ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2018-14623.ymlghsaWEB
- web.archive.org/web/20200227100255/http://www.securityfocus.com/bid/106224ghsaWEB
News mentions
0No linked articles in our index yet.