Project

General

Profile

Actions
Copy link

Bug #10829

closed

CVE-2015-3235 - edit_users permission allows changing of admin passwords

Added by Dominic Cleal over 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Shlomi Zadok
Category:
Users, Roles and Permissions
Target version:
1.9.0
Difficulty:
Triaged:
Bugzilla link:
1233084
Pull request:
https://github.com/theforeman/foreman/pull/2465
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Tracked as CVE-2015-3235.

Mitigation

Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".

Actions
Copy link
 #1

Updated by Shlomi Zadok over 9 years ago

  • Assignee set to Shlomi Zadok
Actions
Copy link
 #2

Updated by The Foreman Bot over 9 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2465 added
  • Pull request deleted ()
Actions
Copy link
 #3

Updated by Shlomi Zadok over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Ohad Levy over 9 years ago

  • Bugzilla link set to 1233084
Actions
Copy link

Also available in: Atom PDF