2184364 – (CVE-2023-1832) CVE-2023-1832 candlepin: Improper authorization check in the server component

Bug 2184364 (CVE-2023-1832) - CVE-2023-1832 candlepin: Improper authorization check in the server component

Summary: CVE-2023-1832 candlepin: Improper authorization check in the server component

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2023-1832
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2186216
Blocks:	2184365
TreeView+	depends on / blocked

Reported:	2023-04-04 12:33 UTC by Pedro Sampaio
Modified:	2023-12-10 18:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:	candlepin-4.3.7-3, candlepin-4.3.8-1
Doc Type:	If docs needed, set a value
Doc Text:	An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.
Clone Of:
Environment:
Last Closed:	2023-09-22 11:00:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	candlepin candlepin pull 4244	0	None	Merged	[4.3.7] Disallow creating consumers in org without permission	2023-09-22 11:00:50 UTC
Github	candlepin candlepin pull 4257	0	None	open	[M] Disallow creating consumers in org without permission	2023-09-22 11:00:50 UTC

Description Pedro Sampaio 2023-04-04 12:33:03 UTC

An improper access control flaw was found in Candlepin. This issue enables a customer/tenant to create data scoped under another customer/tenant, and can result in loss of confidentiality and availability for the affected customer/tenant.

Comment 4 Nikos Moumoulidis 2023-09-22 11:00:50 UTC

This has been fixed in candlepin-4.3.7-3, and deployed to PROD hosted candlepin:

curl -k https://subscription.rhsm.redhat.com/candlepin/status | python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   805    0   805    0     0   1580      0 --:--:-- --:--:-- --:--:--  1581
{
    "mode": "NORMAL",
    "modeReason": null,
    "modeChangeTime": null,
    "result": true,
    "version": "4.3.7",              <--- version
    "release": "3",                  <--- release
    "standalone": false,
    "timeUTC": "2023-09-22T10:58:37+0000",
    "rulesSource": "default",
    "rulesVersion": "5.44",
    "managerCapabilities": [
        "keycloak_auth",
        "cloud_registration",
        "instance_multiplier",
        "derived_product",
        "vcpu",
        "cert_v3",
        "hypervisors_heartbeat",
        "remove_by_pool_id",
        "syspurpose",
        "storage_band",
        "device_auth",
        "cores",
        "ssl_verify_status",
        "multi_environment",
        "hypervisors_async",
        "org_level_content_access",
        "guest_limit",
        "ram",
        "batch_bind",
        "combined_reporting"
    ],
    "keycloakRealm": "redhat-external",
    "keycloakAuthUrl": "https://sso.redhat.com/auth",
    "keycloakResource": "rhsm-api",
    "deviceAuthRealm": "redhat-external",
    "deviceAuthUrl": "https://sso.redhat.com/auth",
    "deviceAuthClientId": "rhsm-api",
    "deviceAuthScope": ""
}

Note You need to log in before you can comment on or make changes to this bug.