Bug 1342439 (CVE-2016-4475)
| Summary: | CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, bkearney, cbillett, ceph-eng-bugs, chrisw, jmatthew, jschluet, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, satellite6-bugs, sclewis, sisharma, srevivo, tdecacqu, tjay, tlestach, tsanders |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-19 19:41:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1342665 | ||
| Bug Blocks: | 1342442 | ||
|
Description
Andrej Nemec
2016-06-03 09:40:15 UTC
Upstream Patches: https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 Fixed upstream 1.11.4 This issue has been addressed in the following products: Red Hat Satellite 6.2 Via RHSA-2016:1615 |