Bug 1064556 (CVE-2014-0078) - CVE-2014-0078 CFME: multiple authorization bypass vulnerabilities in CatalogController
Summary: CVE-2014-0078 CFME: multiple authorization bypass vulnerabilities in CatalogC...
Alias: CVE-2014-0078
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1064559 1064560
Blocks: 1064558 1095075
TreeView+ depends on / blocked
Reported: 2014-02-12 20:19 UTC by Kurt Seifried
Modified: 2021-02-17 06:53 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-08-15 06:03:07 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0469 0 normal SHIPPED_LIVE Important: cfme security, bug fix, and enhancement update 2014-05-12 22:12:35 UTC

Description Kurt Seifried 2014-02-12 20:19:04 UTC
Jan Rusnacko of the Red Hat Product Security Team reports:

CFME fails to check if the current user is allowed to delete catalogs. Regular 
user with minimal privileges will not see Catalog menu, as role based check is 
performed in view (layouts/_page_header_navbar.html.haml):

45 -if role_allows(:feature => 'catalog',:any => true)
46 %li(class="#{secondary_nav_class('catalogs')}")
47 %a{:href=>'/catalog/explorer'}Catalogs

In the context of running application:

(rdb:1) User.current_user.name
(rdb:1) role_allows(:feature => 'catalog',:any => true)

By POSTing a request and going through catalog IDs sequentially an attacker
can delete all catalogs.

Comment 3 Kurt Seifried 2014-02-20 18:52:36 UTC

This issue was discovered by Jan Rusnacko of the Red Hat Product Security Team.

Comment 6 errata-xmlrpc 2014-05-12 18:13:18 UTC
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0469 https://rhn.redhat.com/errata/RHSA-2014-0469.html

Note You need to log in before you can comment on or make changes to this bug.