CVE-2019-10137

Name of the Vulnerable Software and Affected Versions spacewalk-proxy versions through 2.9

Description A path traversal flaw was found in the way the proxy processes cached client tokens. This issue could allow a remote, unauthenticated attacker to test the existence of arbitrary files or execute arbitrary code in the context of the httpd process. The flaw is related to incorrect restriction of directory path names with limited access.

Recommendations For spacewalk-proxy versions through 2.9, consider restricting access to the proxy's filesystem to minimize the risk of exploitation. As a temporary workaround, review and limit the use of cached client tokens until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.