A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task. This was introduced in foreman-tasks@79a0e2cb5, before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed. Upstream Commit: https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d
This has been fixed upstream in https://github.com/theforeman/foreman-tasks/commit/3104a46cf669ae62f9034e9547cb93cc03384cd9.
External References: https://projects.theforeman.org/issues/27275
This issue has been addressed in the following products: Red Hat Satellite 6.6 for RHEL 7 Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10198