Project

General

Profile

Bug #15182

CVE-2016-4451 - Privileges escalation through Organization and Locations API

Added by Marek Hulán almost 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

We set current org/loc for user in before filter blindly without any association check [2][3]. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.

Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.

[2]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L11
[3]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L14


Related issues

Related to Foreman - Bug #2524: Taxonomy scope API parameters not documentedClosed2013-05-21
Related to Foreman - Tracker #10022: Taxonomies related issuesNew2015-04-05

Associated revisions

Revision 1144040f (diff)
Added by Marek Hulán almost 7 years ago

Fixes #15182 - limit user taxonomies in API (CVE-2016-4451)

Revision c4cdec71 (diff)
Added by Marek Hulán almost 7 years ago

Fixes #15182 - limit user taxonomies in API (CVE-2016-4451)

(cherry picked from commit 1144040f444b4bf4aae81940a150b26b23b4623c)

History

#1 Updated by Marek Hulán almost 7 years ago

  • Related to Bug #2524: Taxonomy scope API parameters not documented added

#2 Updated by Marek Hulán almost 7 years ago

  • Status changed from New to Assigned

present probably since 1.7

#3 Updated by Marek Hulán almost 7 years ago

#4 Updated by The Foreman Bot almost 7 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3553 added

#5 Updated by Marek Hulán almost 7 years ago

  • Subject changed from Privileges escalation through Organization and Locations API to CVE-2016-4451 - Privileges escalation through Organization and Locations API

#6 Updated by Marek Hulán almost 7 years ago

  • Bugzilla link set to 1340107

#7 Updated by Marek Hulán almost 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF