|
Message-ID: <57962EAC.7050401@cleal.org>
Date: Mon, 25 Jul 2016 16:22:20 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-5390: Foreman information disclosure in host
interfaces/parameters API
CVE-2016-5390: Foreman information disclosure in host
interfaces/parameters APIs
Non-admin users with the view_hosts permission containing a filter are
able to access API routes beneath "hosts" such as GET
/api/v2/hosts/secrethost/interfaces without the filter being taken into
account. This allows users to access network interface details
(including BMC login details) for any host.
The filter is only correctly used when accessing the main host details
(/api/v2/hosts/secrethost). Access to the "nested" routes, which
includes interfaces, reports, parameters, audits, facts and Puppet
classes, is not authorized beyond requiring any view_hosts permission.
Affects Foreman 1.10.0 and higher
Fix released in Foreman 1.12.1 and 1.11.4
Patch:
https://github.com/theforeman/foreman/commit/7a86dcfe6b36dd43cd6163ce70599e53f09cc217
More information:
https://theforeman.org/security.html#2016-5390
http://projects.theforeman.org/issues/15653
https://theforeman.org
--
Dominic Cleal
dominic@...al.org
Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.