A vulnerability was reported in Red Hat Network Satellite Server. A remote user can conduct cross-site request forgery attacks.
The Red Hat Network (RHN) Satellite and Spacewalk services do not properly validate user-supplied. A remote user can create specially crafted HTML that, when loaded by a target authenticated user, will take actions on the target site acting as the target user.
It was found that RHN Satellite did not protect against Cross-Site Request Forgery (CSRF) attacks. If an authenticated RHN Satellite user visited a specially-crafted web page, it could lead to unauthorized command execution with the privileges of that user, for example, creating a new user account, granting administrator privileges to user accounts, disabling the account of the current user, and so on. (CVE-2009-4139)
A remote user can view files on the target system.The Avaya B5800 Branch Gateway version 6.1 is also affected.
Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to these updated spacewalk-java packages, which resolve this issue. For this update to take effect, Red Hat Network Satellite must be restarted.