Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Apr 2016 16:03:08 +0100
From: Dominic Cleal <>
Subject: CVE-2016-3693: Foreman application information leakage through

CVE-2016-3693: Foreman application information leakage through template

A provisioning template containing `inspect` will expose sensitive
information about the Rails controller and application when rendered
when using Safemode rendering (the default setting). This includes the
application secret token, possibly permitting a privilege escalation
when the app is using signed cookies.

Thanks to Ivan Necas for reporting the issue.

As a precaution, the security token may be regenerated with:

  chown foreman /usr/share/foreman/config/initializers/local_secret_token.rb
  foreman-rake security:generate_token
  chown root /usr/share/foreman/config/initializers/local_secret_token.rb

Mitigation: remove edit_provisioning_templates from untrusted users.

Affects all known Foreman versions
Fix released in Foreman 1.11.1 and safemode 1.2.4

1. The safemode gem ( was patched to
disallow the inspect instance method:
2. Foreman was patched to use this in

More information:

Dominic Cleal

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.