Описание
Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.
A flaw was discovered where Satellite failed to properly enforce permissions on the show and delete actions for reports. An authenticated user with show or delete report permissions could use this flaw to view or delete any reports held in Foreman.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenStack Foreman | foreman | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer | foreman | Will not fix | ||
| Red Hat Satellite 6.1 | foreman | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | foreman-discovery-image | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | foreman-proxy | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | gofer | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | katello-agent | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | katello-installer-base | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | python-nectar | Fixed | RHSA-2015:2622 | 15.12.2015 |
| Red Hat Satellite 6.1 | python-qpid | Fixed | RHSA-2015:2622 | 15.12.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS2
Связанные уязвимости
Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.
Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view ...
Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.
EPSS
5.5 Medium
CVSS2