Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname.
References
Link | Resource |
---|---|
http://projects.theforeman.org/issues/15490 | Patch Vendor Advisory |
http://projects.theforeman.org/projects/foreman/repository/revisions/c3c186de12be15e55d9582e54659f765304a1073 | Patch Vendor Advisory |
https://access.redhat.com/errata/RHSA-2018:0336 | Third Party Advisory |
https://theforeman.org/security.html#2016-4995 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Feb 2023, 23:22
Type | Values Removed | Values Added |
---|---|---|
Summary | Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname. | |
References |
|
02 Feb 2023, 21:17
Type | Values Removed | Values Added |
---|---|---|
Summary | A flaw was found in foreman's handling of template previews. An attacker with permissions to preview host templates can access the template preview for any host if they are able to guess the host name, disclosing potentially sensitive information. | |
References |
|
Information
Published : 2016-08-19 21:59
Updated : 2023-12-10 11:46
NVD link : CVE-2016-4995
Mitre link : CVE-2016-4995
CVE.ORG link : CVE-2016-4995
JSON object : View
Products Affected
theforeman
- foreman
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor