Date: Mon, 25 Jul 2016 16:20:29 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-4995: Foreman information disclosure through unauthorized template previews CVE-2016-4995: Foreman information disclosure through unauthorized template previews Users who are logged in with permissions to view some hosts are able to preview provisioning templates for any host by specifying its hostname in the URL, as the specific view_hosts permissions and filters aren’t checked. If the organization or location features are enabled, the user will still be restricted to their associated orgs/locs. Affects Foreman 1.11.0 and higher Fix released in Foreman 1.12.1 and 1.11.4 Patch: https://github.com/theforeman/foreman/commit/c3c186de12be15e55d9582e54659f765304a1073 More information: https://theforeman.org/security.html#2016-4995 http://projects.theforeman.org/issues/15490 https://theforeman.org -- Dominic Cleal dominic@...al.org Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.