1355728 – (CVE-2016-5390) CVE-2016-5390 foreman: Access to API routes beneath hosts is not filtered for users with view_host permission

Bug 1355728 (CVE-2016-5390) - CVE-2016-5390 foreman: Access to API routes beneath hosts is not filtered for users with view_host permission

Summary: CVE-2016-5390 foreman: Access to API routes beneath hosts is not filtered for...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-5390
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-12 11:19 UTC by Adam Mariš
Modified:	2021-02-17 03:36 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-12 11:20:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-07-12 11:19:55 UTC

It was reported that non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host.

Affects Foreman 1.10.0 and higher.

Upstream bug:

http://projects.theforeman.org/issues/15653

Comment 1 Adam Mariš 2016-07-12 11:20:18 UTC

Acknowledgments:

Name: the Foreman project
Upstream: Daniel Lobato Garcia, Nacho Barrientos, Steve Traylen

Note You need to log in before you can comment on or make changes to this bug.

aortega
apevec
ayoung
bkearney
cbillett
chrisw
cvsbot-xmlrpc
jmatthew
jschluet
kbasil
lhh
lpeer
markmc
mburns
mmccune
ohadlevy
rbryant
rhos-maint
satellite6-bugs
sclewis
srevivo
tdecacqu
tjay
tlestach
tsanders