Project

General

Profile

Bug #19612

CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization

Added by Marek Hulán over 1 year ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

it has been found that user with *_users permission who is assigned to some
organization(s) can do all operations granted by these permissions on all
administrator user objects. We consider admin to effectively be present in
all organizations, which was the motivation for displaying them in every context.

On one hand, it make sense from technical point of view. On the other hand,
it's unexpected and user that is supposed to have access to his/her
organizations can edit global admin accounts including changing their
passwords.

The problem seems to be present since Foreman 1.5 [1] where nesting of
organizations was introduced [2]. The fix seems to be straightforward, add
admin ids to the set only if User.current.admin? in Taxonomix module [3]

[1] http://projects.theforeman.org/issues/3912
[2] https://github.com/theforeman/foreman/commit/
1fa008a4#diff-501156756cdcbc510254e30f9e2a29daR40
[3] https://github.com/theforeman/foreman/blob/develop/app/models/concerns/
taxonomix.rb#L85


Related issues

Related to Katello - Bug #19664: Upcoming security fix in Foreman breaks Katello testsClosed2017-05-25
Related to foreman-tasks - Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser middlewareClosed2017-05-30
Related to Foreman - Bug #21782: Notifications for global audience don't workClosed2017-11-27

Associated revisions

Revision e19acaf7 (diff)
Added by Marek Hulán over 1 year ago

Refs #19612 - update security page

Revision af9edf10 (diff)
Added by Marek Hulán over 1 year ago

Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users

Revision 7c3d1c5c (diff)
Added by Marek Hulán over 1 year ago

Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users

(cherry picked from commit af9edf1098bf8e643e1607f9375595e375e7ade6)

Conflicts:
app/models/notification.rb

History

#1 Updated by Marek Hulán over 1 year ago

  • Legacy Backlogs Release (now unused) set to 248

#2 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4545 added

#3 Updated by Marek Hulán over 1 year ago

  • Subject changed from User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization to CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization

#4 Updated by Marek Hulán over 1 year ago

  • Related to Bug #19664: Upcoming security fix in Foreman breaks Katello tests added

#5 Updated by Marek Hulán over 1 year ago

  • Related to Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser middleware added

#6 Updated by Anonymous over 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Marek Hulán 11 months ago

  • Related to Bug #21782: Notifications for global audience don't work added

Also available in: Atom PDF