CVE-2020-1693

Name of the Vulnerable Software and Affected Versions Spacewalk versions up to 2.9

Description A flaw in Spacewalk allows for XML internal entity attacks via the "/rpc/api" endpoint. This could enable an unauthenticated remote attacker to retrieve certain file contents, trigger a denial of service, or potentially execute arbitrary code on the Spacewalk server. The issue is related to incorrect restriction of XML links to external objects, which can be exploited by a remote attacker to disclose protected information, cause a denial of service, or execute arbitrary code.

Recommendations For Spacewalk versions up to 2.9, as a temporary workaround, consider restricting access to the "/rpc/api" endpoint until a patch is available. Avoid using this endpoint for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.