oss-sec mailing list archives
CVE-2016-4451, CVE-2016-4475: Foreman organizations/locations API/UI privilege escalations
From: Dominic Cleal <dominic () cleal org>
Date: Mon, 25 Jul 2016 16:16:06 +0100
1) CVE-2016-4451: organizations/locations privilege escalation in Foreman API When accessing Foreman as a user limited to specific organization, if users know other organization id and have unlimited filters they can access/modify other organization data. They just have to set the id as API parameter. Affects Foreman 1.7 and higher Fix released in Foreman 1.12.0 and 1.11.3 2) CVE-2016-4475: privilege escalation in organizations/locations API and UI When accessing Foreman as a user limited to specific organization or location, these are not taken into account in the API or parts of the UI. This allows a user to view, edit and delete organizations and locations they are not associated with if they have the requisite permissions. Affects Foreman 1.1 and higher Fix released in Foreman 1.12.0 and 1.11.4 Mitigation for both vulnerabilities: make sure you have filters restricted to organizations or locations when you limit user by assigning them to particular organizations or locations. Patches: https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 More information: https://theforeman.org/security.html#2016-4451 http://projects.theforeman.org/issues/15182 https://theforeman.org/security.html#2016-4475 http://projects.theforeman.org/issues/15268 https://theforeman.org -- Dominic Cleal dominic () cleal org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2016-4451, CVE-2016-4475: Foreman organizations/locations API/UI privilege escalations Dominic Cleal (Jul 25)