Bug 1342439 (CVE-2016-4475) - CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locations assigned
Summary: CVE-2016-4475 foreman: API and UI actions/URLs not limited to the orgs/locati...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160602,repor...
Depends On: 1342665
Blocks: 1342442
TreeView+ depends on / blocked
 
Reported: 2016-06-03 09:40 UTC by Andrej Nemec
Modified: 2019-06-08 21:14 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
Clone Of:
Environment:
Last Closed: 2016-09-19 19:41:47 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-06-03 09:40:15 UTC
A number of API and UI actions/URLs for viewing and managing
organisations and locations are not limited to the orgs/locations
assigned directly to the user, instead they are only restricted by
permissions assigned to the user's roles. This allows users to view and
update other organisations/locations in the system that they should not
have access to.

Upstream bug:

http://projects.theforeman.org/issues/15268

Proposed patch:

https://github.com/theforeman/foreman/pull/3568/commits/d88f399d68425e8a69ce95a8e78b681bccf211af

Comment 2 Kurt Seifried 2016-09-19 19:36:06 UTC
Fixed upstream 	1.11.4

Comment 3 Kurt Seifried 2016-09-19 19:41:47 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.2

Via RHSA-2016:1615


Note You need to log in before you can comment on or make changes to this bug.