Bug #15268

CVE-2016-4475 - API and UI org/locations actions not limited to user's associated orgs/locations

Added by Dominic Cleal 10 months ago. Updated 9 months ago.

Status:Closed
Priority:High
Assigned To:Marek Hulán
Category:Security
Target version:-
Difficulty: Bugzilla link:1342665
Found in release: Pull request:https://github.com/Katello/katello/pull/6129, https://github.com/theforeman/foreman/pull/3568
Story points-
Velocity based estimate-
Release1.11.4Release relationshipAuto

Description

A number of API and UI actions/URLs for viewing and managing organisations and locations are not limited to the orgs/locations assigned directly to the user, instead they are only restricted by permissions assigned to the user's roles.

  • API index calls: GET /api/v2/organizations, GET /api/v2/locations
  • API show/update/destroy calls
  • UI edit/update/destroy calls

The UI index for orgs/locations and the UI org/location switcher appears to be the only place where the user's associated orgs/locations are taken into account.

Both UI and API controllers should be overriding methods for resource scopes to limit them further to the Organization.my_organizations/Location.my_locations scopes.

Mitigation: ensure all org/location related permissions assigned to a user are restricted to certain orgs/locations, these should still be taken into account.

Thanks to Ivan Necas for reporting this to .


Related issues

Related to Foreman - Tracker #10022: Taxonomies related issues New 04/05/2015

Associated revisions

Revision a30ab44e
Added by Marek Hulán 9 months ago

Fixes #15268 - limit user taxonomies using my scopes

Fixes CVE-2016-4475

History

#1 Updated by Marek Hulán 10 months ago

  • Status changed from New to Assigned
  • Assigned To set to Marek Hulán

#2 Updated by Marek Hulán 10 months ago

#3 Updated by The Foreman Bot 10 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3568 added

#4 Updated by Dominic Cleal 10 months ago

  • Subject changed from API and UI org/locations actions not limited to user's associated orgs/locations to CVE-2016-4475 - API and UI org/locations actions not limited to user's associated orgs/locations

#5 Updated by Bryan Kearney 10 months ago

  • Bugzilla link set to 1342665

#6 Updated by The Foreman Bot 9 months ago

  • Pull request https://github.com/Katello/katello/pull/6129 added

#7 Updated by Dominic Cleal 9 months ago

  • Release changed from 1.11.3 to 1.11.4

#8 Updated by Marek Hulán 9 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF