oss-sec mailing list archives

CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+

From: Marek Hulán <mhulan () redhat com>
Date: Fri, 02 Jun 2017 09:16:06 +0200

CVE-2017-7505: User scoped in organization with permissions for user 
management can manage administrators that are not assigned to any organization 
on Foreman 1.5+

It has been found that user with user management permission who is assigned to 
some organization(s) can do all operations granted by these permissions on all 
administrator user objects.

Affects Foreman 1.5 and higher.

Patch available at https://github.com/theforeman/foreman/pull/4545
Fix will be released in Foreman 1.15.1 (to be released)
For more information please see the Redmine issue http://
projects.theforeman.org/issues/19612

--
Marek

Current thread:

CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+ Marek Hulán (Jun 02)