Bug #15182
CVE-2016-4451 - Privileges escalation through Organization and Locations API
Description
We set current org/loc for user in before filter blindly without any association check [2][3]. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.
Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.
[2]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L11
[3]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L14
Related issues
Associated revisions
Fixes #15182 - limit user taxonomies in API (CVE-2016-4451)
(cherry picked from commit 1144040f444b4bf4aae81940a150b26b23b4623c)
History
#1
Updated by Marek Hulán almost 7 years ago
- Related to Bug #2524: Taxonomy scope API parameters not documented added
#2
Updated by Marek Hulán almost 7 years ago
- Status changed from New to Assigned
present probably since 1.7
#3
Updated by Marek Hulán almost 7 years ago
- Related to Tracker #10022: Taxonomies related issues added
#4
Updated by The Foreman Bot almost 7 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3553 added
#5
Updated by Marek Hulán almost 7 years ago
- Subject changed from Privileges escalation through Organization and Locations API to CVE-2016-4451 - Privileges escalation through Organization and Locations API
#6
Updated by Marek Hulán almost 7 years ago
- Bugzilla link set to 1340107
#7
Updated by Marek Hulán almost 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 1144040f444b4bf4aae81940a150b26b23b4623c.
Fixes #15182 - limit user taxonomies in API (CVE-2016-4451)