Date: Mon, 25 Jul 2016 16:16:06 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-4451, CVE-2016-4475: Foreman organizations/locations API/UI privilege escalations 1) CVE-2016-4451: organizations/locations privilege escalation in Foreman API When accessing Foreman as a user limited to specific organization, if users know other organization id and have unlimited filters they can access/modify other organization data. They just have to set the id as API parameter. Affects Foreman 1.7 and higher Fix released in Foreman 1.12.0 and 1.11.3 2) CVE-2016-4475: privilege escalation in organizations/locations API and UI When accessing Foreman as a user limited to specific organization or location, these are not taken into account in the API or parts of the UI. This allows a user to view, edit and delete organizations and locations they are not associated with if they have the requisite permissions. Affects Foreman 1.1 and higher Fix released in Foreman 1.12.0 and 1.11.4 Mitigation for both vulnerabilities: make sure you have filters restricted to organizations or locations when you limit user by assigning them to particular organizations or locations. Patches: https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 More information: https://theforeman.org/security.html#2016-4451 http://projects.theforeman.org/issues/15182 https://theforeman.org/security.html#2016-4475 http://projects.theforeman.org/issues/15268 https://theforeman.org -- Dominic Cleal dominic@...al.org Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.