The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
References
Link | Resource |
---|---|
http://projects.theforeman.org/issues/15268 | Patch Vendor Advisory |
http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9 | Patch Vendor Advisory |
http://www.securityfocus.com/bid/92125 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHBA-2016:1615 | |
https://theforeman.org/security.html#2016-4475 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Feb 2023, 23:21
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors. |
02 Feb 2023, 16:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to. |
Information
Published : 2016-08-19 21:59
Updated : 2023-12-10 11:46
NVD link : CVE-2016-4475
Mitre link : CVE-2016-4475
CVE.ORG link : CVE-2016-4475
JSON object : View
Products Affected
theforeman
- foreman
CWE
CWE-254
7PK - Security Features