Bug 966804 (CVE-2013-2113) - CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin user creation due to mass assignment
Summary: CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin us...
Alias: CVE-2013-2113
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://projects.theforeman.org/issues...
Depends On: 966823 966825
Blocks: 966806
TreeView+ depends on / blocked
Reported: 2013-05-24 02:41 UTC by Kurt Seifried
Modified: 2021-02-17 07:40 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-07-16 03:47:10 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0995 0 normal SHIPPED_LIVE Important: Foreman security and bug fix update 2013-06-27 20:43:49 UTC

Description Kurt Seifried 2013-05-24 02:41:48 UTC
Ramon de C Valle (rcvalle@redhat.com) reports:

There is a mass assignment vulnerability in the create method of the
UsersController controller.

The create method in app/controllers/users_controller.rb deletes the 
user-controlled user[admin] parameter from the params hash but saves it to a 
local variable and assigns it to the newly created user object bypassing the 
:attr_protected mechanism.

  def create
    admin = params[:user].delete :admin
    @user = User.new(params[:user]){|u| u.admin = admin }
    if @user.save
      @user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous"

Any non-admin user with permissions to create other (non-admin) users
(i.e. with Manager role) can create arbitrary admin users by sending a
specially-crafted POST request.

Comment 4 Dominic Cleal 2013-06-07 09:48:17 UTC
Upstream tracker: http://projects.theforeman.org/issues/2630

A fix has been committed:
commit bae665de387d63f93740670ec2542db90084d0eb
Author: Marek Hulan <mhulan@redhat.com>
Date:   Thu Jun 6 11:25:17 2013 +0200

    fixes #2630 - restrict assignment of roles to those a user has (CVE-2013-2113)

And cherry-picked to stable branches:
1.2-stable: b52383d075abe611ac18db3925a787fa4b94b33b
1.1-stable: 7eadf32c83381aadc092cded68efff04ef20e07a

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975

Comment 5 Murray McAllister 2013-06-13 07:20:19 UTC

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.

Comment 7 Kurt Seifried 2013-06-13 16:05:30 UTC
This issue is public: http://projects.theforeman.org/issues/2630

Comment 8 errata-xmlrpc 2013-06-27 16:44:58 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html

Note You need to log in before you can comment on or make changes to this bug.