CVE-2016-4475 - API and UI org/locations actions not limited to user's associated orgs/locations
|Assigned To:||Marek Hulán|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/3568, https://github.com/Katello/katello/pull/6129|
|Velocity based estimate||-|
A number of API and UI actions/URLs for viewing and managing organisations and locations are not limited to the orgs/locations assigned directly to the user, instead they are only restricted by permissions assigned to the user's roles.
- API index calls: GET /api/v2/organizations, GET /api/v2/locations
- API show/update/destroy calls
- UI edit/update/destroy calls
The UI index for orgs/locations and the UI org/location switcher appears to be the only place where the user's associated orgs/locations are taken into account.
Both UI and API controllers should be overriding methods for resource scopes to limit them further to the Organization.my_organizations/Location.my_locations scopes.
: ensure all org/location related permissions assigned to a user are restricted to certain orgs/locations, these should still be taken into account.
Thanks to Ivan Necas for reporting this to firstname.lastname@example.org.
Fixes #15268 - limit user taxonomies using my scopes
(cherry picked from commit a30ab44ed6f140f1791afc51a1e448afc2ff28f9)