Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Jul 2016 16:16:06 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-4451, CVE-2016-4475: Foreman organizations/locations API/UI
 privilege escalations

1) CVE-2016-4451: organizations/locations privilege escalation in
Foreman API

When accessing Foreman as a user limited to specific organization, if
users know other organization id and have unlimited filters they can
access/modify other organization data. They just have to set the id as
API parameter.

Affects Foreman 1.7 and higher
Fix released in Foreman 1.12.0 and 1.11.3


2) CVE-2016-4475: privilege escalation in organizations/locations API and UI

When accessing Foreman as a user limited to specific organization or
location, these are not taken into account in the API or parts of the
UI. This allows a user to view, edit and delete organizations and
locations they are not associated with if they have the requisite
permissions.

Affects Foreman 1.1 and higher
Fix released in Foreman 1.12.0 and 1.11.4


Mitigation for both vulnerabilities: make sure you have filters
restricted to organizations or locations when you limit user by
assigning them to particular organizations or locations.

Patches:
https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c
https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9

More information:
https://theforeman.org/security.html#2016-4451
http://projects.theforeman.org/issues/15182
https://theforeman.org/security.html#2016-4475
http://projects.theforeman.org/issues/15268
https://theforeman.org

-- 
Dominic Cleal
dominic@...al.org



Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.