Bug 1112813 (CVE-2014-3521)
Summary: | CVE-2014-3521 luci: unauthorized administrative access granted to non-administrative users | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jrusnack, rmccabe, security-response-team, vkrizan |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-07 06:06:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1089310 | ||
Bug Blocks: | 874222 |
Description
Vincent Danen
2014-06-24 17:54:59 UTC
IssueDescription: It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data. This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1194 https://rhn.redhat.com/errata/RHSA-2014-1194.html |