Bug #19612

CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization

Added by Marek Hulán 3 months ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4545
Story points-
Velocity based estimate-
Release1.15.1Release relationshipAuto

Description

it has been found that user with *_users permission who is assigned to some
organization(s) can do all operations granted by these permissions on all
administrator user objects. We consider admin to effectively be present in
all organizations, which was the motivation for displaying them in every context.

On one hand, it make sense from technical point of view. On the other hand,
it's unexpected and user that is supposed to have access to his/her
organizations can edit global admin accounts including changing their
passwords.

The problem seems to be present since Foreman 1.5 [1] where nesting of
organizations was introduced [2]. The fix seems to be straightforward, add
admin ids to the set only if User.current.admin? in Taxonomix module [3]

[1] http://projects.theforeman.org/issues/3912
[2] https://github.com/theforeman/foreman/commit/
1fa008a4#diff-501156756cdcbc510254e30f9e2a29daR40
[3] https://github.com/theforeman/foreman/blob/develop/app/models/concerns/
taxonomix.rb#L85


Related issues

Related to Katello - Bug #19664: Upcoming security fix in Foreman breaks Katello tests Closed 05/25/2017
Related to foreman-tasks - Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser m... Closed 05/30/2017

Associated revisions

Revision e19acaf7
Added by Marek Hulán 3 months ago

Refs #19612 - update security page

Revision af9edf10
Added by Marek Hulán 3 months ago

Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users

History

#1 Updated by Marek Hulán 3 months ago

  • Release set to 1.15.1

#2 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4545 added

#3 Updated by Marek Hulán 3 months ago

  • Subject changed from User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization to CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization

#4 Updated by Marek Hulán 3 months ago

  • Related to Bug #19664: Upcoming security fix in Foreman breaks Katello tests added

#5 Updated by Marek Hulán 3 months ago

  • Related to Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser middleware added

#6 Updated by Anonymous 3 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF