Bug #10469
closed
Auto provision rule does not enforce host group association to org/location
Description
This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version.
Steps to reproduce:
- log in with a user that has 2 locations (A, B)
- discover a host and make sure it is connected to location B
- create a hostgroup in location A
- create a discovery rule in location B to match the discovered host and use the hostgroup from 3
- log in with a user with permissions to location B only
- you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
- auto provision the discovered host
- go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for
The rule creation should enforce that the selected host group is in the same org/location as the rule itself.
Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.
Updated by Dominic Cleal about 9 years ago
- Subject changed from Auto provision rule does not enforce host group association to org/location to CVE-2015-3199 - Auto provision rule does not enforce host group association to org/location
- Description updated (diff)
Updated by Dominic Cleal about 9 years ago
Given #9881's not even in Discovery 2.x or 3.0.0, does this actually affect any released software? AFAICT, it doesn't.
Updated by Lukas Zapletal about 9 years ago
I can confirm this was not yet released:
g branch -r --contains 47ecc19a26809dabca37aa8d43231aebde4351dc | grep origin
origin/HEAD -> origin/develop
origin/develop
Updated by Lukas Zapletal about 9 years ago
- Related to Bug #9881: Discovery rules are not connected to taxonomies added
Updated by Lukas Zapletal about 9 years ago
- Subject changed from CVE-2015-3199 - Auto provision rule does not enforce host group association to org/location to Auto provision rule does not enforce host group association to org/location
- Description updated (diff)
Updated subject and description.
Updated by Lukas Zapletal almost 9 years ago
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
Updated by The Foreman Bot almost 9 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman_discovery/pull/202 added
- Pull request deleted (
)
Updated by Anonymous almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset foreman_discovery|5cb015eb6ab9be490956af00300bdd1df94c8d18.