Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 02 Jun 2017 09:16:06 +0200
From: Marek Hulán <mhulan@...hat.com>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+

CVE-2017-7505: User scoped in organization with permissions for user 
management can manage administrators that are not assigned to any organization 
on Foreman 1.5+

It has been found that user with user management permission who is assigned to 
some organization(s) can do all operations granted by these permissions on all 
administrator user objects.

Affects Foreman 1.5 and higher.

Patch available at https://github.com/theforeman/foreman/pull/4545
Fix will be released in Foreman 1.15.1 (to be released)
For more information please see the Redmine issue http://
projects.theforeman.org/issues/19612

--
Marek

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ