Jan Rusnacko of the Red Hat Product Security Team reports: CFME contains an authorization bypass issue in the action rbac_user_edit, which allows authenticated users with minimal privileges to gain access to additional privileges. The problem is in the method check_privileges in vmdb/app/controllers/application_controller.rb: def check_generic_rbac ident = "#{controller_name}_#{action_name}" if MiqProductFeature.feature_exists?(ident) passed = role_allows(:feature => ident, :any => true) unless passed if request.xml_http_request? render :update do |page| page.redirect_to :controller => 'dashboard', :action => 'auth_error' end else redirect_to(:controller => 'dashboard', :action => 'auth_error') end end passed else validate_route(controller_name, request.env['REQUEST_METHOD'], action_name) end end Since there is no else branch for the "if MiqProductFeature.feature_exists?(ident)", any feature that is missing from the list of known features, will be allowed by default. One of these such features is ops_rbac_user_edit. This is the same exact place in code that is causing CVE-2014-0078, however, the fix for this issue solves only CVE-2014-0078, not the problem itself. After the fix is applied, privileges for x_button are checked, but other actions like rbac_user_edit are allowed by default.
Acknowledgements: This issue was discovered by Jan Rusnacko of the Red Hat Product Security Team.
I have created a hardening ticket for this here: https://github.com/ManageIQ/manageiq/issues/1581 Because this has become a hardening issue rather than a security bug.
This issue has been addressed in the following products: CloudForms Management Engine 5.3 Via RHSA-2015:0028 https://rhn.redhat.com/errata/RHSA-2015-0028.html