Project

General

Profile

Actions

Bug #11579

closed

CVE-2015-5233 - reports show/destroy not restricted by host authorization

Added by Dominic Cleal about 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Foreman 1.5.0 or higher are vulnerable to an authorization issue that allows users to view and delete reports for hosts that they don't have access to.

Reports (from tools such as Puppet) are stored in Foreman and associated to the host they came from. Users can be granted permissions to view and/or destroy reports, and also separate permissions to view certain hosts. The UI and API only list reports where the user has permission to view both reports and the host it was from.

The security issue is that both the show and destroy actions for viewing and deleting individual reports do not limit access to the hosts that the user has permission to view. A user with permission to view or destroy reports can do so for any host if they know the ID, or can easily view the last report for a given host.

Thanks to Daniel Lobato Garcia of Red Hat for reporting this to .

Actions

Also available in: Atom PDF