Bug 1729130 (CVE-2019-10198) - CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure
Summary: CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to in...
Keywords:
Status: NEW
Alias: CVE-2019-10198
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190712,repor...
Depends On: 1729149 1729351
Blocks: 1729131
TreeView+ depends on / blocked
 
Reported: 2019-07-11 12:53 UTC by Marian Rehak
Modified: 2019-08-26 14:49 UTC (History)
13 users (show)

Fixed In Version: foreman-tasks 0.15.7
Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was discovered in Foreman. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-07-11 12:53:38 UTC
A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task.

This was introduced in foreman-tasks@79a0e2cb5, before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Upstream Commit:

https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d

Comment 2 Tomer Brisker 2019-07-15 15:59:36 UTC
This has been fixed upstream in https://github.com/theforeman/foreman-tasks/commit/3104a46cf669ae62f9034e9547cb93cc03384cd9.

Comment 3 Doran Moppert 2019-07-15 23:42:42 UTC
External References:

https://projects.theforeman.org/issues/27275


Note You need to log in before you can comment on or make changes to this bug.