Spacewalk-java: spacewalk: red hat network satellite: spacewalk java: privilege escalation via cross-site request forgery
Summary
| CVE | CVE-2009-4139 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2011-07-27 02:55:01 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | A flaw was found in Spacewalk Java site packages. This cross-site request forgery (CSRF) vulnerability allows a remote attacker to hijack the authentication of arbitrary users. This can lead to unauthorized actions, including disabling user accounts, adding new user accounts, or escalating privileges by modifying existing user accounts to have administrator access. |
Risk And Classification
Primary CVSS: v3.1 6.8 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS: 0.001730000 probability, percentile 0.383940000 (date 2026-04-28)
Problem Types: CWE-346 | CWE-352 | CWE-346 Origin Validation Error
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 2.0 | [email protected] | Primary | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Network Satellite Server | 5.3.0 | All | All | All |
| Application | Redhat | Network Satellite Server | 5.4.0 | All | All | All |
| Application | Redhat | Network Satellite Server | 5.4.1 | All | All | All |
| Application | Redhat | Spacewalk-java | 1.2.39 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Bug 529483 – CVE-2009-4139 RHN Satellite / Spacewalk: CSRF in all web portal forms | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2009-4139 | [email protected] | access.redhat.com | |
| Support | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | Patch, Vendor Advisory |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| Red Hat Network Satellite Server Request Validation Flaw Permits Cross-Site Request Forgery Attacks - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | securitytracker.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-02T14:51:35.507Z | Reported to Red Hat. |
| CNA | 2011-07-27T01:29:00.000Z | Made public. |
Workarounds
CNA: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
There are currently no legacy QID mappings associated with this CVE.