Bug #15182

CVE-2016-4451 - Privileges escalation through Organization and Locations API

Added by Marek Hulán about 1 year ago. Updated about 1 year ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Security
Target version:-
Difficulty: Bugzilla link:1340107
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3553
Story points-
Velocity based estimate-
Release1.11.3Release relationshipAuto

Description

We set current org/loc for user in before filter blindly without any association check [2][3]. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.

Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.

[2]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L11
[3]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L14


Related issues

Related to Foreman - Bug #2524: Taxonomy scope API parameters not documented Closed 05/21/2013
Related to Foreman - Tracker #10022: Taxonomies related issues New 04/05/2015

Associated revisions

Revision 1144040f
Added by Marek Hulán about 1 year ago

Fixes #15182 - limit user taxonomies in API (CVE-2016-4451)

History

#1 Updated by Marek Hulán about 1 year ago

  • Related to Bug #2524: Taxonomy scope API parameters not documented added

#2 Updated by Marek Hulán about 1 year ago

  • Status changed from New to Assigned

present probably since 1.7

#3 Updated by Marek Hulán about 1 year ago

#4 Updated by The Foreman Bot about 1 year ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3553 added

#5 Updated by Marek Hulán about 1 year ago

  • Subject changed from Privileges escalation through Organization and Locations API to CVE-2016-4451 - Privileges escalation through Organization and Locations API

#6 Updated by Marek Hulán about 1 year ago

  • Bugzilla link set to 1340107

#7 Updated by Marek Hulán about 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF