oss-sec mailing list archives
CVE-2016-4451: Privileges escalation through Organization and Locations Foreman API
From: Marek Hulán <mhulan () redhat com>
Date: Fri, 27 May 2016 14:34:23 +0200
CVE-2016-4451: Privilege escalation through Organization and Locations API When accessing Foreman as a user limited to specific organization, if users know other organization id and have unlimited filters they can access/modify other organization data. They just have to set the id as API parameter. Mitigation: make sure you have filters restricted to organizations or locations when you limit user by assigning him particular organization or location. Affects Foreman 1.7 and higher Patch available at https://github.com/theforeman/foreman/pull/3553 Fix released in Foreman 1.11.3 (to be released) For more information please see Redmine issue http://projects.theforeman.org/issues/15182 -- Marek
Current thread:
- CVE-2016-4451: Privileges escalation through Organization and Locations Foreman API Marek Hulán (May 27)