Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <411848dc-8ecb-ed81-1142-c8cce7828cb1@cleal.org>
Date: Wed, 22 Feb 2017 13:00:26 +0000
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-7078: Foreman organization/location authorization
 vulnerability

CVE-2016-7078: Foreman user with no organizations or locations can see
all resources

A user account that is associated to no organizations or locations is
able to view resources from all organizations/locations in the web UI or
API, when either the organization or location feature is enabled. The
user remains subject to permissions and filters on their assigned roles.

Mitigation: ensure all users are assigned to at least one organization
or location, or disable the feature if unused.

This issue was reported by Daniel Lobato Garcia.

Affects all known Foreman versions
Fix due to be released in Foreman 1.15.0

Patch:
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905

More information:
https://theforeman.org/security.html#2016-7078
http://projects.theforeman.org/issues/16982
https://theforeman.org

-- 
Dominic Cleal
dominic@...al.org



Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.