CVE-2016-2100: Foreman private bookmarks can be viewed and edited

[Dominic Cleal <dominic () cleal org>]

CVE-2016-2100: Foreman allows read and write access to search bookmarks
set as 'private' to other users.

Bookmarks can be stored for quick access to frequent searches in the
Foreman web UI, which can be used to filter lists of hosts and other
objects.  These are either marked private or public, however the UI and
API for users to manage their bookmarks listed all bookmarks, including
private bookmarks of other users.  This allowed them to be viewed,
edited, or deleted.

Affects: Foreman 0.3 or higher
Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2

Patch:
https://github.com/theforeman/foreman/commit/a61344da14f73920b4bdc7ad8220e7a0ed998031

More information:
http://theforeman.org/security.html#2016-2100
http://projects.theforeman.org/issues/13828
http://theforeman.org/

-- 
Dominic Cleal
dominic () cleal org

Attachment: signature.asc
Description: OpenPGP digital signature