It was found that spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks due to incorrect authorization check in backend/server/rhnChannel.py.
Created attachment 1269322 [details]
Name: Bert Stel (SUSE)
the proposed patch does not seem to fix anything. If you have a reproducer will you mind to share it with us?
The reason given to me by our maintainer is:
the select previously will always report success as a dictionary is returned (element size 1). the patch changes it to count the entries in this dictionary instead.
can you contact our developer
Can Bulut Bayburt ( email@example.com )
for more information?
Steps to Reproduce:
1. install Satellite / Spacewalk server
2. create Admin user
3. create system group Group1
4. create User1, standard (non-admin) user, make it Group1 administrator
5. create User2, standard (non-admin) user
6. create User3, admin user, and disable it
7. register a system into Satellite / Spacewalk and add it to Group1
8. on the system use rhn-channel to add/remove chnnels as user Admin, User1, User2, User3
all user can add/remove channels
only Admin and User1 can manipulate channels
All users, group and server belong to the same org
This issue affects the versions of spacewalk-backend as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
does this mean you are not going to assign a CVE?
Has been an embargo date decided already?
This issue has been addressed in the following products:
Red Hat Satellite 5.7
Red Hat Satellite 5.6
Via RHSA-2017:1259 https://access.redhat.com/errata/RHSA-2017:1259