Bug #5436

CVE-2014-0192 - provisioning templates are world accessible

Added by Ohad Levy over 3 years ago. Updated about 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Ohad Levy
Category:Unattended installations
Target version:Sprint 23
Difficulty: Bugzilla link:
Found in release:1.4.0 Pull request:
Story points-
Velocity based estimate-
Release1.4.4Release relationshipAuto

Description

since 1e0fd283 it is possible to override spoof by providing a hostname parameters.

this would allow to retrieve any template of any host bypassing authentication.


Related issues

Duplicated by Foreman - Bug #5463: No authentication required for /unattended/provision?host... Duplicate 04/26/2014

Associated revisions

Revision aa0ebe8e
Added by Ohad Levy about 3 years ago

fixes #5436 - provisioning templates are world accessible

History

#1 Updated by Ohad Levy over 3 years ago

a simple example using curl:

curl http://0.0.0.0:3000/unattended/provision\?hostname\=abc

#2 Updated by Dominic Cleal over 3 years ago

  • Found in release changed from nightly to 1.4.0

Hm, I think I see from the code - we're only applying the authorisation filters when the spoof parameter isn't used, in the assumption that this is the only parameter needing protection. Bit messy.

This has probably been in since 5b70f0e0 / #359, so Foreman 1.4.0 and above are affected.

#3 Updated by Dominic Cleal about 3 years ago

  • Private changed from Yes to No

Removing private flag as it's been reported publicly.

#4 Updated by Dominic Cleal about 3 years ago

  • Duplicated by Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAME added

#5 Updated by Ohad Levy about 3 years ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Ohad Levy

#6 Updated by Ohad Levy about 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Dominic Cleal about 3 years ago

  • Subject changed from provisioning templates are world accessible to CVE-2014-0192 - provisioning templates are world accessible

#8 Updated by Dominic Cleal about 3 years ago

  • Release changed from 1.5.0 to 1.4.4

Fix available in 1.5.0-RC2 and above.

Also available in: Atom PDF