Dominic Cleal of Red Hat reports: Users who are logged in with permissions to view some hosts are able to preview provisioning templates for any host by specifying its hostname in the URL, as the specific view_hosts permissions and filters aren't checked. If the organization or location features are enabled, the user will still be restricted to their associated orgs/locs. This can disclose configuration information about the host, including root password hashes if used in preseed/kickstart templates. Upstream bug: http://projects.theforeman.org/issues/15490 Proposed patch: https://github.com/theforeman/foreman/pull/2428
Acknowledgments: Name: Dominic Cleal (Red Hat)
This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336