Bug #19612
closedCVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization
Description
it has been found that user with *_users permission who is assigned to some
organization(s) can do all operations granted by these permissions on all
administrator user objects. We consider admin to effectively be present in
all organizations, which was the motivation for displaying them in every context.
On one hand, it make sense from technical point of view. On the other hand,
it's unexpected and user that is supposed to have access to his/her
organizations can edit global admin accounts including changing their
passwords.
The problem seems to be present since Foreman 1.5 [1] where nesting of
organizations was introduced [2]. The fix seems to be straightforward, add
admin ids to the set only if User.current.admin? in Taxonomix module [3]
[1] http://projects.theforeman.org/issues/3912
[2] https://github.com/theforeman/foreman/commit/
1fa008a4#diff-501156756cdcbc510254e30f9e2a29daR40
[3] https://github.com/theforeman/foreman/blob/develop/app/models/concerns/
taxonomix.rb#L85
Updated by Marek Hulán over 7 years ago
- Translation missing: en.field_release set to 248
Updated by The Foreman Bot over 7 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4545 added
Updated by Marek Hulán over 7 years ago
- Subject changed from User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization to CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization
Updated by Marek Hulán over 7 years ago
- Related to Bug #19664: Upcoming security fix in Foreman breaks Katello tests added
Updated by Marek Hulán over 7 years ago
- Related to Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser middleware added
Updated by Anonymous over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset af9edf1098bf8e643e1607f9375595e375e7ade6.
Updated by Marek Hulán about 7 years ago
- Related to Bug #21782: Notifications for global audience don't work added