oss-sec mailing list archives
CVE-2016-2100: Foreman private bookmarks can be viewed and edited
From: Dominic Cleal <dominic () cleal org>
Date: Thu, 31 Mar 2016 09:19:40 +0100
CVE-2016-2100: Foreman allows read and write access to search bookmarks set as 'private' to other users. Bookmarks can be stored for quick access to frequent searches in the Foreman web UI, which can be used to filter lists of hosts and other objects. These are either marked private or public, however the UI and API for users to manage their bookmarks listed all bookmarks, including private bookmarks of other users. This allowed them to be viewed, edited, or deleted. Affects: Foreman 0.3 or higher Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2 Patch: https://github.com/theforeman/foreman/commit/a61344da14f73920b4bdc7ad8220e7a0ed998031 More information: http://theforeman.org/security.html#2016-2100 http://projects.theforeman.org/issues/13828 http://theforeman.org/ -- Dominic Cleal dominic () cleal org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2016-2100: Foreman private bookmarks can be viewed and edited Dominic Cleal (Mar 31)