Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-4451

Опубликовано: 25 мая 2016
Источник: redhat
CVSS3: 6.3
CVSS2: 4.9
EPSS Низкий

Описание

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenStack ForemanforemanWill not fix
Red Hat Ceph Storage 1.3foremanWill not fix
Red Hat Enterprise Linux OpenStack Platform 6 (Juno) InstallerforemanWill not fix
Red Hat Satellite 6.3 for RHEL 7candlepinFixedRHSA-2018:033621.02.2018
Red Hat Satellite 6.3 for RHEL 7foremanFixedRHSA-2018:033621.02.2018
Red Hat Satellite 6.3 for RHEL 7foreman-bootloaders-redhatFixedRHSA-2018:033621.02.2018
Red Hat Satellite 6.3 for RHEL 7foreman-discovery-imageFixedRHSA-2018:033621.02.2018
Red Hat Satellite 6.3 for RHEL 7foreman-installerFixedRHSA-2018:033621.02.2018
Red Hat Satellite 6.3 for RHEL 7foreman-proxyFixedRHSA-2018:033621.02.2018
Red Hat Satellite 6.3 for RHEL 7foreman-selinuxFixedRHSA-2018:033621.02.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=1339889foreman: privilege escalation through Organization and Locations API

EPSS

Процентиль: 35%
0.00142
Низкий

6.3 Medium

CVSS3

4.9 Medium

CVSS2

Связанные уязвимости

nvd логотип

CVE-2016-4451

CVSS3: 5
nvd
больше 9 лет назад

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

debian логотип

CVE-2016-4451

CVSS3: 5
debian
больше 9 лет назад

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 a ...

github логотип

GHSA-jh5m-3mwm-hr2m

CVSS3: 5
github
больше 3 лет назад

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

EPSS

Процентиль: 35%
0.00142
Низкий

6.3 Medium

CVSS3

4.9 Medium

CVSS2

Уязвимость CVE-2016-4451