Bug #15490
CVE-2016-4995 - view_hosts permissions/filters not checked for provisioning template previews
Description
Users who are logged in with permissions to view some hosts are able to preview provisioning templates for any host by specifying its hostname in the URL, as the specific view_hosts permissions and filters aren't checked. If the organization or location features are enabled, the user will still be restricted to their associated orgs/locs.
This can disclose configuration information about the host, including root password hashes if used in preseed/kickstart templates.
Foreman versions 1.11.0 and higher are vulnerable.
Related issues
Associated revisions
Fixes #15490 - adding view_host filter and better msg
Users who are logged in with permissions to view some hosts are able to
preview provisioning templates for any host by specifying its hostname
in the URL, as the specific view_hosts permissions and filters aren't
checked. If the organization or location features are enabled, the user
will still be restricted to their associated orgs/locs.
This can disclose configuration information about the host, including
root password hashes if used in preseed/kickstart templates.
(cherry picked from commit c3c186de12be15e55d9582e54659f765304a1073)
Fixes #15490 - adding view_host filter and better msg
Users who are logged in with permissions to view some hosts are able to
preview provisioning templates for any host by specifying its hostname
in the URL, as the specific view_hosts permissions and filters aren't
checked. If the organization or location features are enabled, the user
will still be restricted to their associated orgs/locs.
This can disclose configuration information about the host, including
root password hashes if used in preseed/kickstart templates.
(cherry picked from commit c3c186de12be15e55d9582e54659f765304a1073)
History
#1
Updated by Dominic Cleal almost 7 years ago
Updated by - Related to Refactor #13039: Remove DB queries from class of UnattendedController added
#2
Updated by Dominic Cleal almost 7 years ago
- Related to Bug #10689: Unattended controller permission check does not work added
#3
Updated by Dominic Cleal almost 7 years ago
#4
Updated by Dominic Cleal almost 7 years ago
- Subject changed from view_hosts permissions/filters not checked for provisioning template previews to CVE-2016-4995 - view_hosts permissions/filters not checked for provisioning template previews
#5
Updated by Dominic Cleal over 6 years ago
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
#6
Updated by The Foreman Bot over 6 years ago
Updated by - Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2428 added
#7
Updated by Lukas Zapletal over 6 years ago
Updated by - Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset c3c186de12be15e55d9582e54659f765304a1073.
Fixes #15490 - adding view_host filter and better msg
Users who are logged in with permissions to view some hosts are able to
preview provisioning templates for any host by specifying its hostname
in the URL, as the specific view_hosts permissions and filters aren't
checked. If the organization or location features are enabled, the user
will still be restricted to their associated orgs/locs.
This can disclose configuration information about the host, including
root password hashes if used in preseed/kickstart templates.