Bug 1252805 (CVE-2015-5189)
|Summary:||CVE-2015-5189 pcs: Incorrect authorization when using pcs web UI|
|Product:||[Other] Security Response||Reporter:||Adam Mariš <amaris>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||cfeist, jrusnack, security-response-team, tojeline|
|Fixed In Version:||Doc Type:||Bug Fix|
A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user.
|Last Closed:||2015-09-01 14:04:16 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1253287, 1253288, 1253289, 1253290|
Description Adam Mariš 2015-08-12 09:24:21 UTC
It was reported that it's possible to get access as a different user when using pcsd (the pcs web UI) due to using a variable which is global to the server instead of the connection to validate usernames. Scenario is following: User A sends a command to pcsd, after the connection is made and authentication happens, (but before any security checks are done), User B connects and authenticates. User A could potentially get access based on User B's permissions. To take advantage of this the user must have access to login to pcsd.
Comment 3 Ján Rusnačko 2015-08-14 12:26:41 UTC
Acknowledgement: This issue was discovered by Tomáš Jelínek of Red Hat.