Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56FCDD9C.7090000@cleal.org>
Date: Thu, 31 Mar 2016 09:19:40 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-2100: Foreman private bookmarks can be viewed and edited

CVE-2016-2100: Foreman allows read and write access to search bookmarks
set as 'private' to other users.

Bookmarks can be stored for quick access to frequent searches in the
Foreman web UI, which can be used to filter lists of hosts and other
objects.  These are either marked private or public, however the UI and
API for users to manage their bookmarks listed all bookmarks, including
private bookmarks of other users.  This allowed them to be viewed,
edited, or deleted.

Affects: Foreman 0.3 or higher
Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2

Patch:
https://github.com/theforeman/foreman/commit/a61344da14f73920b4bdc7ad8220e7a0ed998031

More information:
http://theforeman.org/security.html#2016-2100
http://projects.theforeman.org/issues/13828
http://theforeman.org/

-- 
Dominic Cleal
dominic@...al.org



Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.