GHSA-fwj4-6wgp-mpxm

Suggest an improvement
Source
https://github.com/advisories/GHSA-fwj4-6wgp-mpxm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fwj4-6wgp-mpxm/GHSA-fwj4-6wgp-mpxm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fwj4-6wgp-mpxm
Aliases
  • CVE-2026-4324
Published
2026-03-17T15:36:23Z
Modified
2026-06-01T21:45:26.641319992Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
Summary
Katello: Denial of Service and potential information disclosure via SQL injection
Details

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sortby parameter of the /api/hosts/bootcimages API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.

Database specific 
{
    "nvd_published_at": "2026-03-17T14:16:19Z",
    "github_reviewed_at": "2026-03-18T17:25:29Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

RubyGems / katello

Package

Name
katello
Purl
pkg:gem/katello

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.1

Affected versions

1.*
1.5.0
2.*
2.2.2
2.4.0.rc1
2.4.0.rc2
2.4.0.rc3
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
3.*
3.0.0.rc1
3.0.0.rc2
3.0.0.rc3
3.0.0.rc4
3.0.0.rc5
3.0.0.rc7
3.0.0
3.0.1
3.0.2
3.1.0.rc1
3.1.0.rc2.1
3.1.0
3.1.0.1
3.2.0.rc1
3.2.0.rc1.1
3.2.0.rc2
3.2.0.rc3
3.2.0
3.2.1
3.2.1.1
3.3.0.rc1
3.3.0.rc1.1
3.3.0.rc2
3.3.0
3.3.0.1
3.3.1
3.3.1.1
3.3.2
3.4.0.rc1
3.4.0.rc2
3.4.0
3.4.0.1
3.4.0.2
3.4.1
3.4.2
3.4.4
3.4.5
3.5.0.rc1
3.5.0.rc2
3.5.0
3.5.0.1
3.5.1
3.5.1.1
3.5.2
3.6.0.rc1
3.6.0.rc2
3.6.0
3.6.0.1.rc2
3.7.0.rc1
3.7.0.rc2
3.7.0
3.7.1
3.7.1.1
3.8.0.rc1
3.8.0.rc2
3.8.0.rc3
3.8.0
3.8.1
3.9.0.rc1
3.9.0.rc2
3.9.0
3.9.1
3.10.0.rc1
3.10.0.rc1.1
3.10.0
3.10.1
3.10.1.1
3.10.2
3.11.0.rc1
3.11.0.rc2
3.11.0
3.11.1
3.11.2
3.12.0.rc1
3.12.0.rc2
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0.rc1
3.13.0.rc2
3.13.0.rc2.1
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.14.0.rc1
3.14.0.rc2
3.14.0
3.14.1
3.15.0.rc1
3.15.0.rc1.1
3.15.0.rc1.2
3.15.0.rc1.3
3.15.0.rc2
3.15.0
3.15.0.1
3.15.1
3.15.1.1
3.15.2
3.15.3
3.15.3.1
3.16.0.rc1
3.16.0.rc1.1
3.16.0.rc2
3.16.0.rc2.1
3.16.0.rc3
3.16.0.rc3.1
3.16.0.rc4
3.16.0.rc4.1
3.16.0.rc5
3.16.0.rc5.1
3.16.0
3.16.1
3.16.1.1
3.16.1.2
3.16.2
3.17.0.rc1
3.17.0.rc2
3.17.0.rc2.1
3.17.0.rc2.2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0.rc1
3.18.0.rc2
3.18.0.rc2.1
3.18.0
3.18.1
3.18.1.1
3.18.2
3.18.2.1
3.18.3
3.18.3.1
3.18.4
3.18.5
4.*
4.0.0.rc1
4.0.0.rc2
4.0.0.rc3
4.0.0.rc3.1
4.0.0
4.0.1
4.0.1.1
4.0.1.2
4.0.2
4.0.2.1
4.0.3
4.1.0.rc1
4.1.0.rc1.1
4.1.0.rc2
4.1.0.rc2.1
4.1.0.rc2.2
4.1.0
4.1.1
4.1.2
4.1.2.1
4.1.3
4.1.4
4.2.0.rc1
4.2.0.rc2
4.2.0.1.rc2
4.2.0.1.rc3
4.2.0.1
4.2.1
4.2.2
4.3.0.rc1
4.3.0.rc2
4.3.0.rc2.1
4.3.0.rc3
4.3.0.rc4
4.3.0
4.3.1
4.4.0.rc1
4.4.0.rc2
4.4.0
4.4.0.1
4.4.0.2
4.4.1
4.4.2
4.4.2.1
4.4.2.2
4.5.0.rc1
4.5.0.rc2
4.5.0
4.5.1
4.6.0.rc1
4.6.0.rc2
4.6.0
4.6.1
4.6.2
4.6.2.1
4.7.0.rc1
4.7.0.rc2
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.8.0.rc1
4.8.0.rc2
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.9.0.rc1
4.9.0.rc2
4.9.0
4.9.1
4.9.2
4.10.0.rc1
4.10.0.rc2
4.10.0
4.11.0.rc1
4.11.0.rc2
4.11.0
4.11.1
4.12.0.rc1
4.12.0.rc2
4.12.0.rc3
4.12.0
4.12.1
4.13.0.rc1
4.13.0
4.13.1
4.14.0.rc1
4.14.0.rc1.1
4.14.0.rc2
4.14.0.rc3
4.14.0
4.14.1
4.14.2
4.14.3
4.15.0.rc1
4.15.0.rc2
4.15.0
4.15.1
4.16.0.rc1
4.16.0.rc2
4.16.0
4.16.1
4.16.2
4.16.3
4.17.0.rc1
4.17.0.rc2
4.17.0
4.17.1
4.17.2
4.18.0.rc1
4.18.0.rc2
4.18.0
4.18.1
4.19.0.rc1
4.19.0.rc2
4.19.0.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fwj4-6wgp-mpxm/GHSA-fwj4-6wgp-mpxm.json"