Red Hat Bugzilla – Bug 990374
CVE-2013-4182 foreman: app/controllers/api/v1/hosts_controller.rb API privilege escalation
Last modified: 2016-04-27 01:50:59 EDT
Marek Hulan <email@example.com> reports:
today it was discovered a community member (Daniel Lobato) that users can
manage hosts via API even when they shouldn't have access to them (works right
in UI). The app/controllers/api/v1/hosts_controller.rb does not honor user
privileges at all.
Red Hat would like to thank Daniel Lobato of CERN IT-PES-PS for reporting this issue.
Fixed in upstream
sorry I should probably not change the Status
This issue has been addressed in following products:
OpenStack 3 for RHEL 6
Via RHSA-2013:1196 https://rhn.redhat.com/errata/RHSA-2013-1196.html