The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.
References
Link | Resource |
---|---|
http://projects.theforeman.org/issues/15182 | Vendor Advisory |
http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c | Patch Vendor Advisory |
https://access.redhat.com/errata/RHSA-2018:0336 | |
https://theforeman.org/security.html#2016-4451 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Feb 2023, 23:21
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization. |
02 Feb 2023, 16:17
Type | Values Removed | Values Added |
---|---|---|
Summary | It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations. | |
References |
|
Information
Published : 2016-08-19 21:59
Updated : 2023-12-10 11:46
NVD link : CVE-2016-4451
Mitre link : CVE-2016-4451
CVE.ORG link : CVE-2016-4451
JSON object : View
Products Affected
theforeman
- foreman
CWE
CWE-254
7PK - Security Features