Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 May 2016 14:34:23 +0200
From: Marek Hulán <>
Subject: CVE-2016-4451: Privileges escalation through Organization and Locations Foreman API

CVE-2016-4451: Privilege escalation through Organization and Locations API

When accessing Foreman as a user limited to specific organization, if users 
know other organization id and have unlimited filters they can access/modify 
other organization data. They just have to set the id as API parameter.

Mitigation: make sure you have filters restricted to organizations or locations 
when you limit user by assigning him particular organization or location.

Affects Foreman 1.7 and higher

Patch available at
Fix released in Foreman 1.11.3 (to be released)
For more information please see Redmine issue


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ