It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
A number of API and UI actions/URLs for viewing and managing
organisations and locations are not limited to the orgs/locations
assigned directly to the user, instead they are only restricted by
permissions assigned to the user's roles. This allows users to view and
update other organisations/locations in the system that they should not
have access to.
Fixed upstream 1.11.4
This issue has been addressed in the following products:
Red Hat Satellite 6.2