Bug 1340107 - CVE-2016-4451 - Privileges escalation through Organization and Locations API
Summary: CVE-2016-4451 - Privileges escalation through Organization and Locations API
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Lukáš Hellebrandt
URL: http://projects.theforeman.org/issues...
Depends On:
Blocks: CVE-2016-4451
TreeView+ depends on / blocked
Reported: 2016-05-26 13:09 UTC by Marek Hulan
Modified: 2019-09-26 14:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-21 17:07:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 15182 0 None None None 2016-05-26 14:02:18 UTC

Description Marek Hulan 2016-05-26 13:09:07 UTC
We set current org/loc for user in before filter blindly without any association check [2][3]. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.

Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.


Comment 1 Marek Hulan 2016-05-26 13:09:10 UTC
Created from redmine issue http://projects.theforeman.org/issues/15182

Comment 2 Marek Hulan 2016-05-26 13:09:14 UTC
Upstream bug assigned to mhulan

Comment 4 Bryan Kearney 2016-05-27 12:18:27 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/15182 has been closed

Comment 8 Lukáš Hellebrandt 2017-09-19 14:48:30 UTC

This might have been caused by something else but this bug is not verifiable anyway.

1) Create an org
2) Create a user in that org, grant full rights (not admin) to it
3) As admin, create some domain in that org.
4) As a user, create some domain in that org.
5) Notice that, when logged in a the user, you can't see any of those domains.
6) Try with API:
# curl -X GET -k -u testuser:testpass "https://<FQDN>/api/organizations/3/domains"
  "total": 0,
  "subtotal": 0,
  "page": 1,
  "per_page": 20,
  "search": null,
  "sort": {
    "by": null,
    "order": null
  "results": []

Comment 10 Lukáš Hellebrandt 2017-09-20 14:05:44 UTC
Verified with Sat6.3 snap 16.

The point here was not unability to reproduce. The problem was there has been a change in behavior between 6.2 and 6.3: entities without Location assigned are now not shown to non-admin users. As this is expected, according to devel, I am verifying this bug.

1) create org Testorg
2) create user Testuser in Testorg
3) assign Default Location to Testorg and to Testuser
4) as Testuser, create domain Testdomain with org Testorg and location Testlocation
5) List domains in Testorg, they are successfullylisted:
# curl -X GET -k -u Testuser:<testpass> "https://<FQDN>/api/domains?organization_id=<Testorg_id>"
6) create org Anotherorg
7) create user Anotheruser in Anotherorg
8) assign Default Location to Anotherorg and to Anotheruser
9) Try to list domains in Testorg as Anotheruser and get {"message":"Organization with id <Testorg_id> not found"} which means the bug has been fixed
# curl -X GET -k -u Anotheruser:<anotherpass> "https://<FQDN>/api/domains?organization_id=<Testorg_id>"

Further tested with similar steps using:
a) GET, Location instead of Org (for example API /api/locations/:location_id/hostgroups) and hostgroups as entity
b) POST, Location and Parameter create

Comment 11 Bryan Kearney 2018-02-21 17:07:17 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.