CVE-2016-7077 - Association lists (for < 6 items) shown without authorization/filters
|Assigned To:||Marek Hulán|
|Target version:||Team Marek Iteration 6|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/3955|
|Velocity based estimate||-|
1. setup user with permissions to create architectures
2. make sure you have less than 6 OS in Foreman
3. login as that user, try to create architecture
4. you can see all OSes listed there even if the user does not have any OS
Note that when there are 6 or more OSes, association is authorized properly.
The code that's responsible for this can be found at . I believe it's
present since Foreman 1.1 . Since this is in generic helper, each form
using this helper is vulnerable. It looks like the >= 6 code path (via multiple_select) had
authorisation implemented in #7337 for 1.9.0, and the < 6 code path was left untouched.