[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2395094.PLkjrNgCai@tony>
Date: Fri, 02 Jun 2017 09:16:06 +0200
From: Marek Hulán <mhulan@...hat.com>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+
CVE-2017-7505: User scoped in organization with permissions for user
management can manage administrators that are not assigned to any organization
on Foreman 1.5+
It has been found that user with user management permission who is assigned to
some organization(s) can do all operations granted by these permissions on all
administrator user objects.
Affects Foreman 1.5 and higher.
Patch available at https://github.com/theforeman/foreman/pull/4545
Fix will be released in Foreman 1.15.1 (to be released)
For more information please see the Redmine issue http://
projects.theforeman.org/issues/19612
--
Marek
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
