Bug #16971: CVE-2016-7077 - Association lists (for < 6 items) shown without authorization/filters - Foreman

Bug #16971

CVE-2016-7077 - Association lists (for < 6 items) shown without authorization/filters

Added by Marek Hulán over 6 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Marek Hulán

Category:

Security

Target version:

1.14.0

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman/pull/3955

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

To reproduce:

1. setup user with permissions to create architectures
2. make sure you have less than 6 OS in Foreman
3. login as that user, try to create architecture
4. you can see all OSes listed there even if the user does not have any OS
permission

Note that when there are 6 or more OSes, association is authorized properly.

The code that's responsible for this can be found at [1]. I believe it's
present since Foreman 1.1 [2]. Since this is in generic helper, each form
using this helper is vulnerable. It looks like the >= 6 code path (via multiple_select) had
authorisation implemented in #7337 for 1.9.0, and the < 6 code path was left untouched.

[1] https://github.com/theforeman/foreman/blob/develop/app/helpers/form_helper.rb#L48-L58
[2] https://github.com/theforeman/foreman/commit/14d225cc561b6fb2678eb87e9323d7750a06195c

Related issues

Associated revisions

Revision caffb7e8 (diff)
Added by Marek Hulán over 6 years ago

Fixes #16971 - CVE-2016-7077 remove unauthorized checkboxes

History

#1 Updated by Marek Hulán over 6 years ago

Legacy Backlogs Release (now unused) set to 189

#2 Updated by Dominic Cleal over 6 years ago

Subject changed from Associations are not authorized if resource count is less than 6 to CVE-2016-7077 - Association lists (for < 6 items) shown without authorization/filters
Status changed from New to Assigned