oss-sec mailing list archives
CVE-2016-3693: Foreman application information leakage through templates
From: Dominic Cleal <dominic () cleal org>
Date: Wed, 20 Apr 2016 16:03:08 +0100
CVE-2016-3693: Foreman application information leakage through template rendering A provisioning template containing `inspect` will expose sensitive information about the Rails controller and application when rendered when using Safemode rendering (the default setting). This includes the application secret token, possibly permitting a privilege escalation when the app is using signed cookies. Thanks to Ivan Necas for reporting the issue. As a precaution, the security token may be regenerated with: chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb foreman-rake security:generate_token chown root /usr/share/foreman/config/initializers/local_secret_token.rb Mitigation: remove edit_provisioning_templates from untrusted users. Affects all known Foreman versions Fix released in Foreman 1.11.1 and safemode 1.2.4 Patches: 1. The safemode gem (https://rubygems.org/gems/safemode) was patched to disallow the inspect instance method: https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f 2. Foreman was patched to use this in https://github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2 More information: http://theforeman.org/security.html#2016-3693 http://projects.theforeman.org/issues/14635 http://theforeman.org/ -- Dominic Cleal dominic () cleal org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2016-3693: Foreman application information leakage through templates Dominic Cleal (Apr 20)