Date: Wed, 22 Feb 2017 13:00:26 +0000 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-7078: Foreman organization/location authorization vulnerability CVE-2016-7078: Foreman user with no organizations or locations can see all resources A user account that is associated to no organizations or locations is able to view resources from all organizations/locations in the web UI or API, when either the organization or location feature is enabled. The user remains subject to permissions and filters on their assigned roles. Mitigation: ensure all users are assigned to at least one organization or location, or disable the feature if unused. This issue was reported by Daniel Lobato Garcia. Affects all known Foreman versions Fix due to be released in Foreman 1.15.0 Patch: https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905 More information: https://theforeman.org/security.html#2016-7078 http://projects.theforeman.org/issues/16982 https://theforeman.org -- Dominic Cleal dominic@...al.org [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ