Bug 990374 (CVE-2013-4182)

Summary: CVE-2013-4182 foreman: app/controllers/api/v1/hosts_controller.rb API privilege escalation
Product: [Other] Security Response Reporter: Garth Mollett <gmollett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ajeain, aortega, apevec, athomas, ayoung, bkearney, chrisw, cpelland, gkotton, iheim, jrusnack, markmc, mhulan, mmccune, morazi, ohadlevy, ohochman, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-20 05:24:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 995305, 990384, 990385, 995304    
Bug Blocks: 990379    

Description Garth Mollett 2013-07-31 05:31:24 UTC
Marek Hulan <mhulan@redhat.com> reports:

Hello,

today it was discovered a community member (Daniel Lobato) that users can
manage hosts via API even when they shouldn't have access to them (works right
in UI). The app/controllers/api/v1/hosts_controller.rb does not honor user
privileges at all.

Comment 4 Marek Hulan 2013-07-31 13:00:18 UTC
http://projects.theforeman.org/issues/2863

Comment 5 Kurt Seifried 2013-07-31 20:47:06 UTC
Acknowledgements:

Red Hat would like to thank Daniel Lobato of CERN IT-PES-PS for reporting this issue.

Comment 8 Marek Hulan 2013-09-03 15:14:30 UTC
sorry I should probably not change the Status

Comment 9 errata-xmlrpc 2013-09-03 20:26:19 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1196 https://rhn.redhat.com/errata/RHSA-2013-1196.html