Jan Rusnacko of the Red Hat Product Security Team reports:
CFME fails to check if the current user is allowed to delete catalogs. Regular
user with minimal privileges will not see Catalog menu, as role based check is
performed in view (layouts/_page_header_navbar.html.haml):
45 -if role_allows(:feature => 'catalog',:any => true)
46 %li(class="#{secondary_nav_class('catalogs')}")
47 %a{:href=>'/catalog/explorer'}Catalogs
In the context of running application:
(rdb:1) User.current_user.name
"testuser1"
(rdb:1) role_allows(:feature => 'catalog',:any => true)
false
By POSTing a request and going through catalog IDs sequentially an attacker
can delete all catalogs.