FKIE_CVE-2009-4139

Vulnerability from fkie_nvd - Published: 2011-07-27 02:55 - Updated: 2026-04-29 01:13
Severity
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
A flaw was found in Spacewalk Java site packages. This cross-site request forgery (CSRF) vulnerability allows a remote attacker to hijack the authentication of arbitrary users. This can lead to unauthorized actions, including disabling user accounts, adding new user accounts, or escalating privileges by modifying existing user accounts to have administrator access.
References
secalert@redhat.comhttp://securitytracker.com/id?1025674
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-0879.htmlPatch, Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2009-4139
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=529483
secalert@redhat.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/68074
af854a3a-2127-422b-91ae-364da2661108http://securitytracker.com/id?1025674
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-0879.htmlPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=529483
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/68074
Impacted products
Vendor Product Version
redhat network_satellite_server 5.3.0
redhat network_satellite_server 5.4.0
redhat network_satellite_server 5.4.1
redhat spacewalk-java 1.2.39
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:network_satellite_server:5.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "771FCD58-59DF-468C-9AB4-229DA07A0CA2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:network_satellite_server:5.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D64C46C1-A5EB-4476-8DBA-F3C7D0FB5905",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:network_satellite_server:5.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2DF5F81-B099-4878-9739-D5B3B0E89030",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:spacewalk-java:1.2.39:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8CF0A4D-0501-4DEC-AADD-4A157E5960D8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Spacewalk Java site packages. This cross-site request forgery (CSRF) vulnerability allows a remote attacker to hijack the authentication of arbitrary users. This can lead to unauthorized actions, including disabling user accounts, adding new user accounts, or escalating privileges by modifying existing user accounts to have administrator access."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en los paquetes Spacewalk Java (spacewalk-java) 1.2.39 de Spacewalk, tal como se utiliza en el servidor de Red Hat Network Satellite 5.3.0 hasta la versi\u00f3n 5.4.1 y otros productos, permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios arbitrarios para peticiones que (1) deshabilitan la cuenta del usuario actual, (2) a\u00f1aden cuentas de usuarios, o (3) modifican cuentas de usuarios para tener privilegios administrativos."
    }
  ],
  "id": "CVE-2009-4139",
  "lastModified": "2026-04-29T01:13:23.040",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2011-07-27T02:55:01.243",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://securitytracker.com/id?1025674"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0879.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2009-4139"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=529483"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68074"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securitytracker.com/id?1025674"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0879.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=529483"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68074"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.