Bug #15653
closedCVE-2016-5390 - access to API host interfaces, parameters etc. are not restricted by view_hosts filters
Description
Non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host.
The filter is only correctly used when accessing the main host details (/api/v2/hosts/secrethost). Access to the "nested" routes, which includes interfaces, reports, parameters, audits, facts and Puppet classes, is not authorized beyond requiring any view_hosts
permission.
Affects Foreman 1.10.0 and higher.
Reported by Daniel Lobato Garcia, Nacho Barrientos and Steve Traylen to foreman-security@googlegroups.com.
CVE identifier will be requested.