Date: Mon, 25 Jul 2016 16:22:20 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-5390: Foreman information disclosure in host interfaces/parameters API CVE-2016-5390: Foreman information disclosure in host interfaces/parameters APIs Non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host. The filter is only correctly used when accessing the main host details (/api/v2/hosts/secrethost). Access to the "nested" routes, which includes interfaces, reports, parameters, audits, facts and Puppet classes, is not authorized beyond requiring any view_hosts permission. Affects Foreman 1.10.0 and higher Fix released in Foreman 1.12.1 and 1.11.4 Patch: https://github.com/theforeman/foreman/commit/7a86dcfe6b36dd43cd6163ce70599e53f09cc217 More information: https://theforeman.org/security.html#2016-5390 http://projects.theforeman.org/issues/15653 https://theforeman.org -- Dominic Cleal dominic@...al.org Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.