Katello is prone to a security-bypass vulnerability because of missing authorization checks. Exploiting this issue could allow an attacker to bypass certain security restrictions and gain escalated privileges.
Credit:
The information has been provided by Ramon de C Valle .
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.