Bug #10829: CVE-2015-3235 - edit_users permission allows changing of admin passwords - Foreman

Actions

Copy link

Bug #10829

closed

CVE-2015-3235 - edit_users permission allows changing of admin passwords

Added by Dominic Cleal over 9 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

High

Assignee:

Shlomi Zadok

Category:

Users, Roles and Permissions

Target version:

1.9.0

Difficulty:

Triaged:

Bugzilla link:

1233084

Pull request:

https://github.com/theforeman/foreman/pull/2465

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.

Tracked as CVE-2015-3235.

Mitigation¶

Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Custom queries

Bug #10829

CVE-2015-3235 - edit_users permission allows changing of admin passwords

Mitigation¶

Updated by Shlomi Zadok over 9 years ago

Updated by The Foreman Bot over 9 years ago

Updated by Shlomi Zadok over 9 years ago

Updated by Ohad Levy over 9 years ago