1342439 – (CVE-2016-4475) CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned

Bug 1342439 (CVE-2016-4475) - CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned

Summary: CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locati...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-4475
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1342665
Blocks:	1342442
TreeView+	depends on / blocked

Reported:	2016-06-03 09:40 UTC by Andrej Nemec
Modified:	2019-09-29 13:50 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
Clone Of:
Environment:
Last Closed:	2016-09-19 19:41:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2016-06-03 09:40:15 UTC

A number of API and UI actions/URLs for viewing and managing
organisations and locations are not limited to the orgs/locations
assigned directly to the user, instead they are only restricted by
permissions assigned to the user's roles. This allows users to view and
update other organisations/locations in the system that they should not
have access to.

Upstream bug:

http://projects.theforeman.org/issues/15268

Proposed patch:

https://github.com/theforeman/foreman/pull/3568/commits/d88f399d68425e8a69ce95a8e78b681bccf211af

Comment 1 Kurt Seifried 2016-07-25 15:21:55 UTC

Upstream Patches:
https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c
https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9

Comment 2 Kurt Seifried 2016-09-19 19:36:06 UTC

Fixed upstream 	1.11.4

Comment 3 Kurt Seifried 2016-09-19 19:41:47 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1615

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
bkearney
cbillett
ceph-eng-bugs
chrisw
jmatthew
jschluet
lhh
lpeer
markmc
mburns
mmccune
ohadlevy
rbryant
rhos-maint
satellite6-bugs
sclewis
sisharma
srevivo
tdecacqu
tjay
tlestach
tsanders