Bug 1220853 (CVE-2015-3199) - CVE-2015-3199 foreman_discovery: auto provision rule does not enforce host group association to org/location
Summary: CVE-2015-3199 foreman_discovery: auto provision rule does not enforce host gr...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-3199
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1220855
TreeView+ depends on / blocked
 
Reported: 2015-05-12 15:38 UTC by Martin Prpič
Modified: 2025-06-03 06:59 UTC (History)
40 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-07-04 15:37:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Martin Prpič 2015-05-12 15:38:04 UTC 
It was found that the Foreman Discovery plug-in's auto provision rules did not correctly enforce group association to an organization or a location.

Steps to reproduce:

1. log in with a user that has 2 locations (A, B)
2. discover a host and make sure it is connected to location B
3. create a hostgroup in location A
4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3
5. log in with a user with permissions to location B only
6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
7. auto provision the discovered host
8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for

Upstream issue with additional details:

http://projects.theforeman.org/issues/10469
Comment 1 Kurt Seifried 2015-07-04 15:37:14 UTC 
"This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version."
Note You need to log in before you can comment on or make changes to this bug.