Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1232366 - (CVE-2015-3235) CVE-2015-3235 foreman: edit_users permission allows changing of admin passwords
CVE-2015-3235 foreman: edit_users permission allows changing of admin passwords
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150616,repo...
: Security
Depends On: 1233084
Blocks: 1145400 1232367 1253077
  Show dependency treegraph
 
Reported: 2015-06-16 10:52 EDT by Vasyl Kaigorodov
Modified: 2016-04-26 19:02 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that in Foreman the edit_users permissions (for example, granted to the Manager role) allowed the user to edit admin user passwords. An attacker with the edit_users permissions could use this flaw to access an admin user account, leading to an escalation of privileges.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-21 22:08:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1591 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 7 2015-08-12 04:49:40 EDT
Red Hat Product Errata RHSA-2015:1592 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 05:04:35 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-06-16 10:52:06 EDT 
Dominic Cleal of Red Hat reported the below issue in Foreman:

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Upstream bug: http://projects.theforeman.org/issues/10829
Upstream fix: pull request not yet merged, see upstream bug
Comment 1 Kurt Seifried 2015-07-29 13:17:12 EDT 
Updated CVSS2 scoring.
Comment 2 errata-xmlrpc 2015-08-12 00:52:13 EDT 
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591
Comment 3 errata-xmlrpc 2015-08-12 01:31:01 EDT 
This issue has been addressed in the following products:

  Red Hat Satellite 6.1

Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.