Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2395094.PLkjrNgCai@tony>
Date: Fri, 02 Jun 2017 09:16:06 +0200
From: Marek Hulán <mhulan@...hat.com>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+

CVE-2017-7505: User scoped in organization with permissions for user 
management can manage administrators that are not assigned to any organization 
on Foreman 1.5+

It has been found that user with user management permission who is assigned to 
some organization(s) can do all operations granted by these permissions on all 
administrator user objects.

Affects Foreman 1.5 and higher.

Patch available at https://github.com/theforeman/foreman/pull/4545
Fix will be released in Foreman 1.15.1 (to be released)
For more information please see the Redmine issue http://
projects.theforeman.org/issues/19612

--
Marek

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.