oss-sec mailing list archives
CVE-2016-4995: Foreman information disclosure through unauthorized template previews
From: Dominic Cleal <dominic () cleal org>
Date: Mon, 25 Jul 2016 16:20:29 +0100
CVE-2016-4995: Foreman information disclosure through unauthorized template previews Users who are logged in with permissions to view some hosts are able to preview provisioning templates for any host by specifying its hostname in the URL, as the specific view_hosts permissions and filters aren’t checked. If the organization or location features are enabled, the user will still be restricted to their associated orgs/locs. Affects Foreman 1.11.0 and higher Fix released in Foreman 1.12.1 and 1.11.4 Patch: https://github.com/theforeman/foreman/commit/c3c186de12be15e55d9582e54659f765304a1073 More information: https://theforeman.org/security.html#2016-4995 http://projects.theforeman.org/issues/15490 https://theforeman.org -- Dominic Cleal dominic () cleal org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2016-4995: Foreman information disclosure through unauthorized template previews Dominic Cleal (Jul 25)