Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1220853 - (CVE-2015-3199) CVE-2015-3199 foreman_discovery: auto provision rule does not enforce host group association to org/location
CVE-2015-3199 foreman_discovery: auto provision rule does not enforce host gr...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150511,reported=2...
: Security
Depends On:
Blocks: 1220855
  Show dependency treegraph
 
Reported: 2015-05-12 11:38 EDT by Martin Prpič
Modified: 2016-04-26 11:15 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-04 11:37:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2015-05-12 11:38:04 EDT 
It was found that the Foreman Discovery plug-in's auto provision rules did not correctly enforce group association to an organization or a location.

Steps to reproduce:

1. log in with a user that has 2 locations (A, B)
2. discover a host and make sure it is connected to location B
3. create a hostgroup in location A
4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3
5. log in with a user with permissions to location B only
6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
7. auto provision the discovered host
8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for

Upstream issue with additional details:

http://projects.theforeman.org/issues/10469
Comment 1 Kurt Seifried 2015-07-04 11:37:14 EDT 
"This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version."
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.