Bug 1310675 (CVE-2016-2100)
| Summary: | CVE-2016-2100 foreman: Unprivileged user can access private bookmarks of other users | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, dallan, gkotton, jmatthew, jschluet, katello-bugs, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, sclewis, sisharma, srevivo, tdecacqu, tjay, tlestach, tsanders |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that access to private bookmarks of users is not properly restricted in Foreman. This could allow an attacker to view the search terms used in these bookmarks which should be private.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-19 19:43:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1192414 | ||
| Bug Blocks: | 1310678 | ||
|
Description
Adam Mariš
2016-02-22 13:43:33 UTC
From Dominic Cleal: Affects: Foreman 0.3 or higher Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2 Patch: https://github.com/theforeman/foreman/commit/a61344da14f73920b4bdc7ad8220e7a0ed998031 More information: http://theforeman.org/security.html#2016-2100 http://projects.theforeman.org/issues/13828 http://theforeman.org/ This issue has been addressed in the following products: Red Hat Satellite 6.2 Via RHSA-2016:1500 |