Bug 970849 - (CVE-2013-2143) CVE-2013-2143 Katello: /app/controllers/users_controller.rb insufficient privilege check
CVE-2013-2143 Katello: /app/controllers/users_controller.rb insufficient priv...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140324,repo...
: Security
Depends On: 970852 970860
Blocks: 970850 1239193
  Show dependency treegraph
 
Reported: 2013-06-05 01:49 EDT by Garth Mollett
Modified: 2016-01-21 16:17 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garth Mollett 2013-06-05 01:49:14 EDT
Ramon de C Valle <rcvalle@redhat.com> reports:

There is a improper privilege management vulnerability in the
update_roles method of the UsersController controller. The update_roles
method updates the roles of an specified user without checking the
privileges for the user performing the action.

254   def update_roles
255     params[:user] = { "role_ids" => [] } unless params.has_key? :user
256 
257     #Add in the own role if updating roles, cause the user shouldn't see his own r    ole
258     params[:user][:role_ids] << @user.own_role.id
259 
260     if  @user.update_attributes(params[:user])
261       notify.success _("User updated successfully.")
262 
263       if not search_validate(User, @user.id, params[:search], :username)
264         notify.message _("'%s' no longer matches the current search criteria.") %     @user.username
265       end
266 
267       render :nothing => true and return
268     end
269     notify.invalid_record @user
270     render :text => @user.errors, :status => :ok
271   end

Any user can arbitrarily update any attributes of any user (including
itself) by sending a specially-crafted POST request.
Comment 3 Garth Mollett 2013-09-29 19:59:59 EDT
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 4 Murray McAllister 2014-04-21 22:25:37 EDT
This issue is public now.

Note You need to log in before you can comment on or make changes to this bug.