Date: Thu, 31 Mar 2016 09:19:40 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-2100: Foreman private bookmarks can be viewed and edited CVE-2016-2100: Foreman allows read and write access to search bookmarks set as 'private' to other users. Bookmarks can be stored for quick access to frequent searches in the Foreman web UI, which can be used to filter lists of hosts and other objects. These are either marked private or public, however the UI and API for users to manage their bookmarks listed all bookmarks, including private bookmarks of other users. This allowed them to be viewed, edited, or deleted. Affects: Foreman 0.3 or higher Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2 Patch: https://github.com/theforeman/foreman/commit/a61344da14f73920b4bdc7ad8220e7a0ed998031 More information: http://theforeman.org/security.html#2016-2100 http://projects.theforeman.org/issues/13828 http://theforeman.org/ -- Dominic Cleal dominic@...al.org Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ