Bug 1729130 (CVE-2019-10198) - CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure
Summary: CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10198
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1729149 1729351
Blocks: 1729131
TreeView+ depends on / blocked
 
Reported: 2019-07-11 12:53 UTC by Marian Rehak
Modified: 2019-10-22 18:51 UTC (History)
13 users (show)

Fixed In Version: foreman-tasks 0.15.7
Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was discovered in Foreman. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
Clone Of:
Environment:
Last Closed: 2019-10-22 18:51:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3172 None None None 2019-10-22 12:46:34 UTC

Description Marian Rehak 2019-07-11 12:53:38 UTC
A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task.

This was introduced in foreman-tasks@79a0e2cb5, before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Upstream Commit:

https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d

Comment 2 Tomer Brisker 2019-07-15 15:59:36 UTC
This has been fixed upstream in https://github.com/theforeman/foreman-tasks/commit/3104a46cf669ae62f9034e9547cb93cc03384cd9.

Comment 3 Doran Moppert 2019-07-15 23:42:42 UTC
External References:

https://projects.theforeman.org/issues/27275

Comment 4 errata-xmlrpc 2019-10-22 12:46:32 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.6 for RHEL 7

Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172

Comment 5 Product Security DevOps Team 2019-10-22 18:51:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10198


Note You need to log in before you can comment on or make changes to this bug.