1729130 – (CVE-2019-10198) CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure

Bug 1729130 (CVE-2019-10198) - CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure

Summary: CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to in...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-10198
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1729149 1729351
Blocks:	1729131
TreeView+	depends on / blocked

Reported:	2019-07-11 12:53 UTC by Marian Rehak
Modified:	2021-12-14 18:47 UTC (History)
CC List:	12 users (show)
Fixed In Version:	foreman-tasks 0.15.7
Doc Type:	If docs needed, set a value
Doc Text:	An authentication bypass vulnerability was discovered in Foreman. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
Clone Of:
Environment:
Last Closed:	2019-10-22 18:51:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3172	0	None	None	None	2019-10-22 12:46:34 UTC

Description Marian Rehak 2019-07-11 12:53:38 UTC

A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task.

This was introduced in foreman-tasks@79a0e2cb5, before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Upstream Commit:

https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d

Comment 2 Tomer Brisker 2019-07-15 15:59:36 UTC

This has been fixed upstream in https://github.com/theforeman/foreman-tasks/commit/3104a46cf669ae62f9034e9547cb93cc03384cd9.

Comment 3 Doran Moppert 2019-07-15 23:42:42 UTC

External References:

https://projects.theforeman.org/issues/27275

Comment 4 errata-xmlrpc 2019-10-22 12:46:32 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.6 for RHEL 7

Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172

Comment 5 Product Security DevOps Team 2019-10-22 18:51:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10198

Note You need to log in before you can comment on or make changes to this bug.