Bug 1729149 - CVE-2019-10198 tfm-rubygem-foreman-tasks: Authorization bypasses when accessing task details [rhn_satellite_6-default]
Summary: CVE-2019-10198 tfm-rubygem-foreman-tasks: Authorization bypasses when accessi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Tasks Plugin
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: 6.6.0
Assignee: Adam Ruzicka
QA Contact: Peter Dragun
URL:
Whiteboard:
: 1729143 1729351 (view as bug list)
Depends On:
Blocks: CVE-2019-10198
TreeView+ depends on / blocked
 
Reported: 2019-07-11 13:15 UTC by Adam Ruzicka
Modified: 2019-10-22 12:48 UTC (History)
8 users (show)

Fixed In Version: tfm-rubygem-foreman-tasks-0.15.5.3-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 12:47:50 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 27275 None None None 2019-07-11 13:15:58 UTC
Red Hat Product Errata RHSA-2019:3172 None None None 2019-10-22 12:48:01 UTC

Description Adam Ruzicka 2019-07-11 13:15:57 UTC
A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task. I know UUIDs are tough to guess, but...

This was introduced in foreman-tasks@79a0e2cb5 [1], before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Steps to reproduce:
1) Have foreman with foreman-tasks >= 0.7.8
2) Trigger a couple of tasks
3) Create a user, assign no roles to the user
4.1) As the user, visit $foreman/foreman_tasks/tasks/$UUID, where $UUID is UUID of a task from 2)
4.2) As the user, visit $foreman/foreman_tasks/tasks/$UUID/sub_tasks, where $UUID is UUID of a task from 2) which has sub tasks
4.3) As the user, perform get request against $foreman/foreman_tasks/api/tasks/$UUID

Actual result:
In the UI, task details are shown. For task with sub tasks, sub tasks are shown on an index-like page.
In the API, details are provided.

Expected result:
In the UI, permission denied page is shown.
In the API , the request fails with either 403 or 404.

<pre>
# curl -u user:changeme -k https://localhost/foreman_tasks/api/tasks/f4211c3e-467f-405e-a70c-980d6c4d4e0f 2>/dev/null | ruby -e "require 'json'; puts JSON.pretty_generate(JSON.parse(STDIN.read))"
{
  "id": "f4211c3e-467f-405e-a70c-980d6c4d4e0f",
  "label": "Actions::RemoteExecution::RunHostJob",
  "pending": false,
  "action": "Remote action: Run sleep 60 on helpful-snipe.lxd",
  "username": "admin",
  "started_at": "2019-07-10 12:21:44 UTC",
  "ended_at": "2019-07-10 12:22:50 UTC",
  "state": "stopped",
  "result": "success",
  "progress": 1.0,
  "input": {
    "host": {
      "id": 1,
      "name": "helpful-snipe.lxd"
    },
    "job_category": "Commands",
    "description": "Run sleep 60",
    "delegated_action_id": 2,
    "locale": "en",
    "current_request_id": null,
    "current_timezone": "Europe/Prague",
    "current_user_id": 4,
    "current_organization_id": 1,
    "current_location_id": 2
  },
  "output": {
  },
  "humanized": {
    "action": "Remote action:",
    "input": "Run sleep 60 on helpful-snipe.lxd",
    "output": "Exit status: 0",
    "errors": [

    ]
  },
  "cli_example": null
}
</pre>

[1] - https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d

Comment 1 Adam Ruzicka 2019-07-11 13:16:01 UTC
Created from redmine issue https://projects.theforeman.org/issues/27275

Comment 2 Adam Ruzicka 2019-07-11 13:16:04 UTC
Upstream bug assigned to aruzicka@redhat.com

Comment 4 Brad Buckingham 2019-07-12 15:20:36 UTC
*** Bug 1729143 has been marked as a duplicate of this bug. ***

Comment 5 Bryan Kearney 2019-07-15 12:04:10 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27275 has been resolved.

Comment 6 Doran Moppert 2019-07-15 23:40:09 UTC
*** Bug 1729351 has been marked as a duplicate of this bug. ***

Comment 8 Peter Dragun 2019-08-20 10:05:16 UTC
Verified with steps from problem description.

Comment 10 errata-xmlrpc 2019-10-22 12:47:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172


Note You need to log in before you can comment on or make changes to this bug.