It was reported that non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host.
Affects Foreman 1.10.0 and higher.
Name: the Foreman project
Upstream: Daniel Lobato Garcia, Nacho Barrientos, Steve Traylen