Bug #16971

CVE-2016-7077 - Association lists (for < 6 items) shown without authorization/filters

Added by Marek Hulán 5 months ago. Updated 5 months ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Security
Target version:Team Marek Iteration 6
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3955
Story points-
Velocity based estimate-
Release1.14.0Release relationshipAuto

Description

To reproduce:

1. setup user with permissions to create architectures
2. make sure you have less than 6 OS in Foreman
3. login as that user, try to create architecture
4. you can see all OSes listed there even if the user does not have any OS
permission

Note that when there are 6 or more OSes, association is authorized properly.

The code that's responsible for this can be found at [1]. I believe it's
present since Foreman 1.1 [2]. Since this is in generic helper, each form
using this helper is vulnerable. It looks like the >= 6 code path (via multiple_select) had
authorisation implemented in #7337 for 1.9.0, and the < 6 code path was left untouched.

[1] https://github.com/theforeman/foreman/blob/develop/app/helpers/form_helper.rb#L48-L58
[2] https://github.com/theforeman/foreman/commit/14d225cc561b6fb2678eb87e9323d7750a06195c


Related issues

Related to Foreman - Bug #17256: Non-admin user can't edit his own profile if he has more ... Closed 11/07/2016

Associated revisions

Revision caffb7e8
Added by Marek Hulán 5 months ago

Fixes #16971 - CVE-2016-7077 remove unauthorized checkboxes

History

#1 Updated by Marek Hulán 5 months ago

  • Release set to 1.14.0

#2 Updated by Dominic Cleal 5 months ago

  • Subject changed from Associations are not authorized if resource count is less than 6 to CVE-2016-7077 - Association lists (for < 6 items) shown without authorization/filters
  • Status changed from New to Assigned

#3 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek Iteration 4 to Team Marek Iteration 5

#4 Updated by The Foreman Bot 5 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3955 added

#5 Updated by Marek Hulán 5 months ago

  • Related to Bug #17256: Non-admin user can't edit his own profile if he has more than 5 roles added

#6 Updated by Marek Hulán 5 months ago

  • Target version changed from Team Marek Iteration 5 to Team Marek Iteration 6

#7 Updated by Anonymous 5 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF