Описание
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenStack Foreman | foreman | Affected | ||
| Red Hat Ceph Storage 1.3 | foreman | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer | foreman | Affected | ||
| Red Hat Satellite 6.2 for RHEL 6 | foreman | Fixed | RHBA-2016:1615 | 16.08.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | foreman-installer | Fixed | RHBA-2016:1615 | 16.08.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | foreman-proxy | Fixed | RHBA-2016:1615 | 16.08.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | pulp | Fixed | RHBA-2016:1615 | 16.08.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | satellite | Fixed | RHBA-2016:1615 | 16.08.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | tfm-rubygem-foreman_discovery | Fixed | RHBA-2016:1615 | 16.08.2016 |
| Red Hat Satellite 6.2 for RHEL 6 | tfm-rubygem-hammer_cli_foreman_admin | Fixed | RHBA-2016:1615 | 16.08.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.9 Medium
CVSS2
Связанные уязвимости
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
The (1) Organization and (2) Locations APIs and UIs in Foreman before ...
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
EPSS
4.9 Medium
CVSS2