Marek Hulán of Red Hat reports: When accessing Foreman as a user limited to specific organization, having access to other organization IDs and having unlimited filters could allow a user to access/modify other organization data by using the organization ID as an API parameter. Upstream bug: http://projects.theforeman.org/issues/15182 Upstream patch: https://github.com/theforeman/foreman/pull/3553/commits/42066cfa19de316449954079c07bdf1e4cc5eb0a
Upstream Patches: https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
Acknowledgments: Name: Marek Hulán (Red Hat)
This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336