Bug 970849 (CVE-2013-2143)

Summary: CVE-2013-2143 Katello: /app/controllers/users_controller.rb insufficient privilege check
Product: [Other] Security Response Reporter: Garth Mollett <gmollett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: athomas, bkearney, cbillett, cpelland, inecas, jrusnack, kseifried, mmccune, msuchy, sclewis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-03 18:06:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 970852, 970860    
Bug Blocks: 970850, 1239193    

Description Garth Mollett 2013-06-05 05:49:14 UTC 
Ramon de C Valle <rcvalle> reports:

There is a improper privilege management vulnerability in the
update_roles method of the UsersController controller. The update_roles
method updates the roles of an specified user without checking the
privileges for the user performing the action.

254   def update_roles
255     params[:user] = { "role_ids" => [] } unless params.has_key? :user
256 
257     #Add in the own role if updating roles, cause the user shouldn't see his own r    ole
258     params[:user][:role_ids] << @user.own_role.id
259 
260     if  @user.update_attributes(params[:user])
261       notify.success _("User updated successfully.")
262 
263       if not search_validate(User, @user.id, params[:search], :username)
264         notify.message _("'%s' no longer matches the current search criteria.") %     @user.username
265       end
266 
267       render :nothing => true and return
268     end
269     notify.invalid_record @user
270     render :text => @user.errors, :status => :ok
271   end

Any user can arbitrarily update any attributes of any user (including
itself) by sending a specially-crafted POST request.
Comment 3 Garth Mollett 2013-09-29 23:59:59 UTC 
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 4 Murray McAllister 2014-04-22 02:25:37 UTC 
This issue is public now.