Описание
[REJECTED CVE] It was found that the Foreman Discovery plug-in's auto provision rules did not correctly enforce group association to an organization or a location. Steps to reproduce:
- log in with a user that has 2 locations (A, B)
- discover a host and make sure it is connected to location B
- create a hostgroup in location A
- create a discovery rule in location B to match the discovered host and use the hostgroup from 3
- log in with a user with permissions to location B only
- you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
- auto provision the discovered host
- go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for
Отчет
This CVE has been rejected upstream, because investigation showed that it was not a security issue in a product and does not affect any released upstream version. If you have additional information or concerns regarding this determination, please contact Red Hat Product Security for further clarification.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenStack Foreman | ruby193-rubygem-foreman_discovery | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer | ruby193-rubygem-foreman_discovery | Not affected | ||
| Red Hat Satellite 6 | ruby193-rubygem-foreman_discovery | Not affected |
Показывать по
10
Дополнительная информация
Дефект:
CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=1220853foreman_discovery: auto provision rule does not enforce host group association to org/location
2.1 Low
CVSS2
Связанные уязвимости
nvd
больше 10 лет назад
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in a product. Notes: none.
2.1 Low
CVSS2