Bug 1232366 (CVE-2015-3235)

Summary: CVE-2015-3235 foreman: edit_users permission allows changing of admin passwords
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, cperry, dallan, gkotton, gmollett, jrusnack, katello-bugs, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, sclewis, tjay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that in Foreman the edit_users permissions (for example, granted to the Manager role) allowed the user to edit admin user passwords. An attacker with the edit_users permissions could use this flaw to access an admin user account, leading to an escalation of privileges.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-22 03:08:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1233084    
Bug Blocks: Embargoed1145400, Embargoed1232367, Embargoed1253077    

Description Vasyl Kaigorodov 2015-06-16 14:52:06 UTC
Dominic Cleal of Red Hat reported the below issue in Foreman:

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Upstream bug: http://projects.theforeman.org/issues/10829
Upstream fix: pull request not yet merged, see upstream bug

Comment 1 Kurt Seifried 2015-07-29 17:17:12 UTC
Updated CVSS2 scoring.

Comment 2 errata-xmlrpc 2015-08-12 04:52:13 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591

Comment 3 errata-xmlrpc 2015-08-12 05:31:01 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592