Project

General

Profile

Actions

Bug #10469

closed

Auto provision rule does not enforce host group association to org/location

Added by Dominic Cleal over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Category:
Discovery plugin
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version.


Steps to reproduce:
  1. log in with a user that has 2 locations (A, B)
  2. discover a host and make sure it is connected to location B
  3. create a hostgroup in location A
  4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3
  5. log in with a user with permissions to location B only
  6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
  7. auto provision the discovered host
  8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for

The rule creation should enforce that the selected host group is in the same org/location as the rule itself.

Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.


Related issues 1 (0 open1 closed)

Related to Discovery - Bug #9881: Discovery rules are not connected to taxonomies ClosedOri Rabin03/24/2015Actions
Actions #1

Updated by Dominic Cleal over 9 years ago

  • Description updated (diff)
Actions #2

Updated by Dominic Cleal over 9 years ago

  • Subject changed from Auto provision rule does not enforce host group association to org/location to CVE-2015-3199 - Auto provision rule does not enforce host group association to org/location
  • Description updated (diff)
Actions #3

Updated by Dominic Cleal over 9 years ago

Given #9881's not even in Discovery 2.x or 3.0.0, does this actually affect any released software? AFAICT, it doesn't.

Actions #4

Updated by Lukas Zapletal over 9 years ago

I can confirm this was not yet released:

g branch -r --contains 47ecc19a26809dabca37aa8d43231aebde4351dc | grep origin
origin/HEAD -> origin/develop
origin/develop

Actions #5

Updated by Lukas Zapletal over 9 years ago

  • Related to Bug #9881: Discovery rules are not connected to taxonomies added
Actions #6

Updated by Lukas Zapletal over 9 years ago

  • Subject changed from CVE-2015-3199 - Auto provision rule does not enforce host group association to org/location to Auto provision rule does not enforce host group association to org/location
  • Description updated (diff)

Updated subject and description.

Actions #7

Updated by Lukas Zapletal over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Lukas Zapletal
Actions #8

Updated by The Foreman Bot over 9 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman_discovery/pull/202 added
  • Pull request deleted ()
Actions #9

Updated by Anonymous over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF