Bug #15182
closed
CVE-2016-4451 - Privileges escalation through Organization and Locations API
Description
We set current org/loc for user in before filter blindly without any association check [2]3. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.
Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.
[2]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L11
[3]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L14
Updated by Marek Hulán over 8 years ago
- Related to Bug #2524: Taxonomy scope API parameters not documented added
Updated by Marek Hulán over 8 years ago
- Status changed from New to Assigned
present probably since 1.7
Updated by Marek Hulán over 8 years ago
- Related to Tracker #10022: Taxonomies related issues added
Updated by The Foreman Bot over 8 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3553 added
Updated by Marek Hulán over 8 years ago
- Subject changed from Privileges escalation through Organization and Locations API to CVE-2016-4451 - Privileges escalation through Organization and Locations API
Updated by Marek Hulán over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 1144040f444b4bf4aae81940a150b26b23b4623c.