Bug #10829

CVE-2015-3235 - edit_users permission allows changing of admin passwords

Added by Dominic Cleal about 3 years ago. Updated 8 days ago.

Status:Closed
Priority:High
Assignee:Shlomi Zadok
Category:Authorization
Target version:1.9.0
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link:1233084 Found in Releases:
Pull request:https://github.com/theforeman/foreman/pull/2465

Description

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Tracked as CVE-2015-3235.

Mitigation

Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".

Associated revisions

Revision f97fbd6f
Added by Shlomi Zadok about 3 years ago

fixes #10829 - non-admin user cannot update admin password

History

#1 Updated by Shlomi Zadok about 3 years ago

  • Assignee set to Shlomi Zadok

#2 Updated by The Foreman Bot about 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2465 added

#3 Updated by Shlomi Zadok about 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Ohad Levy about 3 years ago

  • Bugzilla link set to 1233084

Also available in: Atom PDF