Bug 1342439 (CVE-2016-4475)

Summary: CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, cbillett, ceph-eng-bugs, chrisw, jmatthew, jschluet, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, satellite6-bugs, sclewis, sisharma, srevivo, tdecacqu, tjay, tlestach, tsanders
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20160602,reported=20160602,source=researcher,cvss2=4.9/AV:N/AC:M/Au:S/C:P/I:P/A:N,cwe=CWE-284,rhn_satellite_6/foreman=affected,openstack-foreman/foreman=affected,openstack-6-installer/foreman=affected,ceph-1.3/foreman=wontfix
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-19 19:41:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1342665    
Bug Blocks: 1342442    

Description Andrej Nemec 2016-06-03 09:40:15 UTC
A number of API and UI actions/URLs for viewing and managing
organisations and locations are not limited to the orgs/locations
assigned directly to the user, instead they are only restricted by
permissions assigned to the user's roles. This allows users to view and
update other organisations/locations in the system that they should not
have access to.

Upstream bug:


Proposed patch:


Comment 2 Kurt Seifried 2016-09-19 19:36:06 UTC
Fixed upstream 	1.11.4

Comment 3 Kurt Seifried 2016-09-19 19:41:47 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1615