Project

General

Profile

Actions

Bug #10829

closed

CVE-2015-3235 - edit_users permission allows changing of admin passwords

Added by Dominic Cleal almost 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Users, Roles and Permissions
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Tracked as CVE-2015-3235.

Mitigation

Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".

Actions #1

Updated by Shlomi Zadok almost 9 years ago

  • Assignee set to Shlomi Zadok
Actions #2

Updated by The Foreman Bot almost 9 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2465 added
  • Pull request deleted ()
Actions #3

Updated by Shlomi Zadok almost 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #4

Updated by Ohad Levy almost 9 years ago

  • Bugzilla link set to 1233084
Actions

Also available in: Atom PDF