Bug 1342439 – CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1342439 - (CVE-2016-4475) CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned

Summary:	CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locati...

Status:	CLOSED ERRATA

Aliases:	CVE-2016-4475

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160602,repor...
Keywords:	Security

Depends On:	1342665
Blocks:	1342442
	Show dependency tree / graph

Reported:	2016-06-03 05:40 EDT by Andrej Nemec
Modified:	2016-11-14 04:11 EST (History)
CC List:	26 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-19 15:41:47 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-06-03 05:40:15 EDT

A number of API and UI actions/URLs for viewing and managing
organisations and locations are not limited to the orgs/locations
assigned directly to the user, instead they are only restricted by
permissions assigned to the user's roles. This allows users to view and
update other organisations/locations in the system that they should not
have access to.

Upstream bug:

http://projects.theforeman.org/issues/15268

Proposed patch:

https://github.com/theforeman/foreman/pull/3568/commits/d88f399d68425e8a69ce95a8e78b681bccf211af

Comment 1 Kurt Seifried 2016-07-25 11:21:55 EDT

Upstream Patches:
https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c
https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9

Comment 2 Kurt Seifried 2016-09-19 15:36:06 EDT

Fixed upstream 	1.11.4

Comment 3 Kurt Seifried 2016-09-19 15:41:47 EDT

This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1615

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
bkearney
cbillett
ceph-eng-bugs
chrisw
jmatthew
jschluet
lhh
lpeer
markmc
mburns
mmccune
ohadlevy
rbryant
rhos-maint
satellite6-bugs
sclewis
sisharma
srevivo
tdecacqu
tjay
tlestach
tsanders