Bug #10829: CVE-2015-3235 - edit_users permission allows changing of admin passwords - Foreman

Bug #10829

CVE-2015-3235 - edit_users permission allows changing of admin passwords

Added by Dominic Cleal almost 8 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

High

Assignee:

Shlomi Zadok

Category:

Users, Roles and Permissions

Target version:

1.9.0

Difficulty:

Triaged:

Bugzilla link:

1233084

Pull request:

https://github.com/theforeman/foreman/pull/2465

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Tracked as CVE-2015-3235.

Mitigation¶

Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".

Associated revisions

Revision f97fbd6f (diff)
Added by Shlomi Zadok almost 8 years ago

fixes #10829 - non-admin user cannot update admin password

History

#1 Updated by Shlomi Zadok almost 8 years ago

Assignee set to Shlomi Zadok

#2 Updated by The Foreman Bot almost 8 years ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/foreman/pull/2465 added
Pull request deleted ()

#3 Updated by Shlomi Zadok almost 8 years ago

Status changed from Ready For Testing to Closed
% Done changed from 0 to 100

Applied in changeset f97fbd6f70ccd749f3bb2bece6e64d01d540561c.

#4 Updated by Ohad Levy almost 8 years ago

Bugzilla link set to 1233084

Also available in: Atom PDF

Project

General

Profile

Issues

Custom queries