Bug 1342439 (CVE-2016-4475) - CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned
Summary: CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locati...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1342665
Blocks: 1342442
TreeView+ depends on / blocked
 
Reported: 2016-06-03 09:40 UTC by Andrej Nemec
Modified: 2019-09-29 13:50 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-09-19 19:41:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-06-03 09:40:15 UTC 
A number of API and UI actions/URLs for viewing and managing
organisations and locations are not limited to the orgs/locations
assigned directly to the user, instead they are only restricted by
permissions assigned to the user's roles. This allows users to view and
update other organisations/locations in the system that they should not
have access to.

Upstream bug:

http://projects.theforeman.org/issues/15268

Proposed patch:

https://github.com/theforeman/foreman/pull/3568/commits/d88f399d68425e8a69ce95a8e78b681bccf211af
Comment 1 Kurt Seifried 2016-07-25 15:21:55 UTC 
Upstream Patches:
https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c
https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
Comment 2 Kurt Seifried 2016-09-19 19:36:06 UTC 
Fixed upstream 	1.11.4
Comment 3 Kurt Seifried 2016-09-19 19:41:47 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1615
Note You need to log in before you can comment on or make changes to this bug.