Bug #15490

CVE-2016-4995 - view_hosts permissions/filters not checked for provisioning template previews

Added by Dominic Cleal 10 months ago. Updated 10 months ago.

Status:Closed
Priority:Normal
Assigned To:Lukas Zapletal
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release:1.11.0 Pull request:https://github.com/theforeman/foreman/pull/2428
Story points-
Velocity based estimate-
Release1.11.4Release relationshipAuto

Description

Users who are logged in with permissions to view some hosts are able to preview provisioning templates for any host by specifying its hostname in the URL, as the specific view_hosts permissions and filters aren't checked. If the organization or location features are enabled, the user will still be restricted to their associated orgs/locs.

This can disclose configuration information about the host, including root password hashes if used in preseed/kickstart templates.

Foreman versions 1.11.0 and higher are vulnerable.


Related issues

Related to Foreman - Refactor #13039: Remove DB queries from class of UnattendedController Closed 01/07/2016
Related to Foreman - Bug #10689: Unattended controller permission check does not work Duplicate 06/03/2015

Associated revisions

Revision c3c186de
Added by Lukas Zapletal 10 months ago

Fixes #15490 - adding view_host filter and better msg

Users who are logged in with permissions to view some hosts are able to
preview provisioning templates for any host by specifying its hostname
in the URL, as the specific view_hosts permissions and filters aren't
checked. If the organization or location features are enabled, the user
will still be restricted to their associated orgs/locs.

This can disclose configuration information about the host, including
root password hashes if used in preseed/kickstart templates.

History

#1 Updated by Dominic Cleal 10 months ago

  • Related to Refactor #13039: Remove DB queries from class of UnattendedController added

#2 Updated by Dominic Cleal 10 months ago

  • Related to Bug #10689: Unattended controller permission check does not work added

#3 Updated by Dominic Cleal 10 months ago

This vuln was introduced by #13039, but the patch for #10689 (which itself is now resolved) should serve to fix the issue when the ticket number's updated.

#4 Updated by Dominic Cleal 10 months ago

  • Subject changed from view_hosts permissions/filters not checked for provisioning template previews to CVE-2016-4995 - view_hosts permissions/filters not checked for provisioning template previews

#5 Updated by Dominic Cleal 10 months ago

  • Status changed from New to Assigned
  • Assigned To set to Lukas Zapletal

#6 Updated by The Foreman Bot 10 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2428 added

#7 Updated by Lukas Zapletal 10 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF