Project

General

Custom queries

Profile

Actions
Copy link

Bug #16982

closed

CVE-2016-7078 - User with no organizations or locations can see all resources

Added by Daniel Lobato Garcia over 8 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Lobato Garcia
Category:
Security
Target version:
1.15.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/3954, https://github.com/theforeman/foreman/pull/3961, https://github.com/theforeman/foreman/pull/4172, https://github.com/theforeman/foreman/pull/4327, https://github.com/theforeman/foreman/pull/4328, https://github.com/theforeman/foreman/pull/4329
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The default scope for hosts does not restrict properly by taxonomies. Given this use case:

1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.

This should work so that:

- Users without taxonomies, when set to 'any context' cannot see anything 
 - Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
 - Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
 - Users or admins set to some organization/location scope can only see stuff within scope.

Pending CVE number.

Related issues 7 (0 open7 closed)

Related to Foreman - Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopesClosedDominic Cleal02/24/2017Actions
Related to Discovery - Bug #18686: Fix broken tests after taxonomy scope changeClosedLukas Zapletal02/27/2017Actions
Related to Discovery - Bug #19409: Auto provision does not work after taxonomy fixClosedOhad Levy04/27/2017Actions
Related to Foreman - Bug #20017: Mail notifications not being sentClosedMarek Hulán06/14/2017Actions
Related to Foreman - Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2ClosedMarek Hulán07/17/2017Actions
Related to Foreman - Bug #20515: User searching by login in code does not find the user because of missing unscopedClosedMarek Hulán08/07/2017Actions
Copied to Katello - Bug #17266: Fix tests that depend on CVE 2016-7078ClosedDaniel Lobato Garcia10/18/2016Actions
Actions
Copy link
 #2

Updated by Dominic Cleal over 8 years ago

  • Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources

Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).

Actions
Copy link
 #12

Updated by Anonymous about 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF