Bug 1729130 (CVE-2019-10198) - CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure
Summary: CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to in...
Alias: CVE-2019-10198
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1729149 1729351
Blocks: 1729131
TreeView+ depends on / blocked
Reported: 2019-07-11 12:53 UTC by Marian Rehak
Modified: 2021-12-14 18:47 UTC (History)
12 users (show)

Fixed In Version: foreman-tasks 0.15.7
Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was discovered in Foreman. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
Clone Of:
Last Closed: 2019-10-22 18:51:16 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3172 0 None None None 2019-10-22 12:46:34 UTC

Description Marian Rehak 2019-07-11 12:53:38 UTC
A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task.

This was introduced in foreman-tasks@79a0e2cb5, before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Upstream Commit:


Comment 2 Tomer Brisker 2019-07-15 15:59:36 UTC
This has been fixed upstream in https://github.com/theforeman/foreman-tasks/commit/3104a46cf669ae62f9034e9547cb93cc03384cd9.

Comment 3 Doran Moppert 2019-07-15 23:42:42 UTC
External References:


Comment 4 errata-xmlrpc 2019-10-22 12:46:32 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.6 for RHEL 7

Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172

Comment 5 Product Security DevOps Team 2019-10-22 18:51:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.